PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Jul 23, 2019 1:42 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 29 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Jun 15, 2005 9:59 am 
Offline
Forum Contributor

Joined: Wed Mar 12, 2003 1:52 pm
Posts: 198
Location: IL


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 10:07 am 
Offline
DevNet Resident

Joined: Tue Nov 18, 2003 2:09 pm
Posts: 1826
Location: Middlesbrough, UK


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 10:16 am 
Offline
BeerMod
User avatar

Joined: Tue Jan 13, 2004 5:58 pm
Posts: 2170
Location: Jax FL & Spokane WA USA


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 10:49 am 
Offline
Forum Contributor

Joined: Wed Mar 12, 2003 1:52 pm
Posts: 198
Location: IL
Ok, so they couldn't actually manipulate stored session data (except if they now have access to webpages that allows them to do so). The data that a hijacker would find in another user's profile on my website is not critically sensitive. But, don't get me wrong, I take the security of that information very seriously. My concern is less about a hijacker finding a user's information, then it is about a hijacker manipulating session data to be something it shouldn't be, right before it's stored in the database. Or even a user manipulating their own session data, is that possible?


Example Scenerio:
If I have page1.php which calculates $A + $B = $_SESSION['C'], and page2.php puts $_SESSION['C'] in the database, I will not have to worry about $_SESSION['C'] being changed by a hijacker somehow. Right? What I've done in the past is recalculate $A + $B on page2.php, instead of using $_SESSION['C']. But, if storing data in sessions is safe, I want to avoid using up valuable server resources because my calculations are getting much more complicated than $A + $B.

As for the IP checking... what if their IP changes during a session? I believe that is possible.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 10:52 am 
Offline
DevNet Resident

Joined: Tue Nov 18, 2003 2:09 pm
Posts: 1826
Location: Middlesbrough, UK


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 11:35 am 
Offline
Forum Contributor

Joined: Wed Mar 12, 2003 1:52 pm
Posts: 198
Location: IL


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 12:10 pm 
Offline
DevNet Master
User avatar

Joined: Tue Dec 28, 2004 6:57 pm
Posts: 2745
Location: Tallinn, Estonia
i don't believe it is possible for the user to change the session data, only to steal a users existing session but not change that users session information

ie they cant take $_SESSION['value'] that = 1 and change it to $_SESSION['value'] to = 2. i really dont believe this is possible


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 1:00 pm 
Offline
Forum Regular
User avatar

Joined: Fri Mar 19, 2004 2:51 pm
Posts: 873


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 1:39 pm 
Offline
Forum Contributor

Joined: Wed Mar 12, 2003 1:52 pm
Posts: 198
Location: IL


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 2:22 pm 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium
This is how i build a "fingerprint" of a visitor..

Syntax: [ Download ] [ Hide ]
// get the fingerprint of the user

    function getFingerprint()

    {

        $fingerprint = $this->secret;

        if (array_key_exists('HTTP_USER_AGENT', $_SERVER))

        {

            $fingerprint .= $_SERVER['HTTP_USER_AGENT'];

        }

        if (array_key_exists('HTTP_ACCEPT_CHARSET', $_SERVER))

        {

            $fingerprint .= $_SERVER['HTTP_ACCEPT_CHARSET'];

        }

        $fingerprint .= session_id();

        $fingerprint = md5($fingerprint);

        return $fingerprint;

    }


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 15, 2005 9:07 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 25, 2005 6:05 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 25, 2005 7:18 pm 
Offline
Forum Newbie

Joined: Sat Jun 25, 2005 7:13 pm
Posts: 1
Location: Vermont, USA


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 25, 2005 7:29 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 27, 2005 6:42 pm 
Offline
Forum Newbie

Joined: Mon Jun 27, 2005 5:46 am
Posts: 1


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group