Comments on: Secure session management

By: admin

admin — Fri, 23 Jan 2009 01:44:07 +0000

Thanks Rob,

Yeah I’ve just updated this so that it now includes a timeout. If you set the timeout to 0, then there will not be a timeout, but if you specify a number greater than 0 then it will specify the minutes before the session will timeout. This now checks, IP, Client data, referring page (if it exists) and now timeout.

By: Rob

Rob — Tue, 20 Jan 2009 21:44:05 +0000

So the session will only fail if the end user changes web browser or ip address? Can we add a timeout to the code?

By: Rhys

Rhys — Mon, 19 Jan 2009 06:58:18 +0000

hacking tutorial…

I can’t believe I missed this! I’m going to have to do some more reading me thinks….

By: contact management database

contact management database — Wed, 14 Jan 2009 12:20:28 +0000

contact management database…

Well spoken. I have to research more on this as it is really vital info….

By: admin

admin — Tue, 06 Jan 2009 20:06:18 +0000

That section of the code checks to make sure that the session is valid. It’s broken up into a few parts. First, it makes sure that ’ss_fprint’ does exist and that ’ss_fprint’ equals the current browser ‘finger print’. ’ss_fprint’ is the session variable that was initially set and contains the session fingerprint at the time of login (so we know that was the valid user). Over time, session fixation may take place and we need to make sure that we keep checking to make sure that the browser version, operating system and ip address remain the same otherwise this may be a hacker. Next we have the shorthand if statement (in case you don’t know http://snippets.dzone.com/posts/show/76) in which we make sure that we are referring from the same domain. ‘HTTP_REFERER’ is sent from the browser and can be spoofed. Sometimes it isn’t even sent from the browser so this if statement checks to see if ‘HTTP_REFERER’ has been sent by the browser and if it has, make sure that it is the same domain (’HTTP_HOST’).

By: Obi

Obi — Tue, 06 Jan 2009 16:35:19 +0000

Exuse me, but I can’t understand this function:

return (isset($_SESSION['ss_fprint'])
&& $_SESSION['ss_fprint'] == self::_Fingerprint() && ($_SERVER['HTTP_REFFERER'] != ” ? (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']) !== false ? true : false) : true));

it means this?

if (isset($_SESSION['ss_fprint'] && $_SESSION['ss_fprint'] == self::_Fingerprint() && $_SERVER['HTTP_REFFERER'] != ”)
{
if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']) !== false)
{
return true;
}
else
{
return false;
}
}
else
{
return true;
}

Many thanks

By: admin

admin — Mon, 05 Jan 2009 20:44:50 +0000

Thanks for catching that pipu. I pulled this from my personal framework and I have another class that gets the IP address, but this is definitely what should have been included in this particular class.

By: pipu

pipu — Mon, 05 Jan 2009 20:33:27 +0000

Hi, nice work! the answer is not the constats class, but the config.

I think yo can use $_SERVER['REMOTE_ADDR'] instead of constants::Client_IP()

like this

$blocks = explode(’.’, $_SERVER['REMOTE_ADDR']);

By: admin

admin — Fri, 02 Jan 2009 02:24:36 +0000

Hi Max,

Sorry I’ve been on vacation and havn’t had a chance to answer. The config class would be included in the main script and would include the following class:

class config
{
// Session Settings
Const check_browser = true;
Const check_ip_blocks = 4;
Const session_salt = ’secure’;
Const regenerate_id = true;
}

This will check all four IP blocks (assuming your running IP4 and not IP6). If you put 0 then it will not check IP blocks, but this is definitely a much more secure session handler than the default.

By: Max

Max — Mon, 29 Dec 2008 17:35:44 +0000

Hi,

Nice work
I have a question: Where is the constants class ?

$blocks = explode(’.', constants::Client_IP());

cya, Max