cacti
+ Reply to Thread
Results 1 to 5 of 5

Thread: Secure Session Control

  1. #1
    Join Date
    Jan 2005
    Posts
    623

    Secure Session Control

    ******* Session Control

    This will be a short tutorial on creating and maintaining a secure session. If you put a little thought into what a Session is, you can easily implement your own way of protecting it & actually use sessions to your advantage. For those of you who do not understand what a session is, think of it as an instant database that is created for you to store values in (such as items added to a shopping cart). In php you can create a session by simply calling the function session_start(). You must call this function before any output is displayed to the browser so its a good idea to include your session control at the top of every page.
    Code:
    <? include("session_controller.php"); ?>
    
    <html>
    	<body>
    	<p>Hello</p>
    	</body>
    </html>
    When a session is created it is given a randomly generated identifier. This identifier, which is stored in the form of a cookie on the users machine, talks to the server to add, update, & delete values stored in the session.

    You can create a session variable by:
    Code:
    $_SESSION['variable_name_goes_here']= "Storing this text in your session!";
    From now on when you call $_SESSION['variable_name_goes_here'] it will have the text "Storing this text in your session!" stored in it. You can delete this session variable by using the unset() function. Once you unset($_SESSION['variable_name_goes_here']) it will no longer exist as part of your session.

    Another important thing about sessions is how to destroy them. You can simply do this by using the session_destroy() function. NOTE: This does not destroy session variables! They must be unset().

    So how can you apply this information to make a session secure? Well you need to think about three things that are going to be unique when a session is created.

    *. The exact time the session is created in hours,minutes,seconds: date('ymdHis')
    2. The browser the visitor is using: $_SERVER['HTTP_USER_AGENT']
    *. The ip address of the visitor: $_SERVER['REMOTE_ADDR']

    Now that we have these three values what can we do with them? MD5 hash them into one value that is unique to the visitor. This will give the current visitor and id that uniquely identifies and validates their session.

    Are we finished? NOOO! We are still not ******* from session hijacking. A cookie monster might come along and steal your cookie and try to pass as your id to hijack your session. This code will do a pretty good job of protecting you from getting hijacked. There is still a change that the person trying to hijack your session has the exact IP & Browser as you. Since I do not know enough javascript, I can not write the code to grab the local ip of the user, but if I could the session would be just about unhijackable (if that was a word).

    Here is the code to secure your session from being hijacked:
    Code:
    session_start();
    
    function build_session()
    {
    	$new_time=date('ymdHis');
    	$new_brow=$_SERVER['HTTP_USER_AGENT'];
    	$new_ipad=$_SERVER['REMOTE_ADDR'];
    	$new_code=md5($new_time . $new_brow . $new_ipad) . "HashGuessing";
    		
    	$_SESSION['entrytime']=$new_time;
    	$_SESSION['hash']=$new_code;
    	$_SESSION['login']=*;
    }
    
    function validate_session(){
    	if(!(isset($_SESSION['entrytime']))){
    		return(0);	
    	}
    	else{
    		$new_time=$_SESSION['entrytime'];
    		$new_brow=$_SERVER['HTTP_USER_AGENT'];
    		$new_ipad=$_SERVER['REMOTE_ADDR'];
    		$new_code=md5($new_time . $new_brow . $new_ipad) . "HashGuessing";
    		
    		if($new_code!=$_SESSION['hash']){
    			return(0);
    		}
    		else{ return(*); } 
    	}
    }
    Here is my login function I created to go along with my session validation:
    Code:
    function login_control(){
    	if(isset($_SESSION['login']) && $_SESSION['login']==*){
    		if(isset($_GET['logout'])){
    			session_destroy();
    			return(0);					// YOU ARE NOW LOGGED OUT
    		}
    		else if(validate_session()){
    			return(*);					// SESSION IS VALID AND USER LOGGED IN
    		}
    	}else if(isset($_POST['u']) && isset($_POST['p'])){
    	
    		if(!(validate_login())){
    			return(2);					// INVALID USERNAME AND PASSWORD
    		}else{
    			return(*);					// VALID USERNAME AND PASSWORD
    		}
    	}else{
    		session_destroy();					// NOT LOGGED IN
    		return(4);
    	}
    }
    For those of you who like to use <BASE href="http://www.syntax******.info/"> for easy navigation I created a function in PHP to do the same thing. I think it makes path navigation easier:
    Code:
    	$url=$_SERVER["PHP_SELF"];
    	$forward_slash_count=strlen($url)-strlen(str_replace("/","",$url));
    	
    	$path= NULL;
    	$path_replace="../";
    	
    	while($forward_slash_count-*>0){
    		$path .= $path_replace;
    		$forward_slash_count--;
    	}
    	$_SESSION['path']=$path;
    This is my first tutorial, so I hope it was written in a clear manner and has helped you better understand the nature of sessions.

    Til next time,

    SyntaX
    Last edited by SyntaXmasteR; 08-22-2007 at 02:35 PM.
    [url=http://www.syntax******.info/tools/services.php]Speed Up Windows XP[/url]
    [url=http://www.syntax******.info/tools/ip.php]Get An Ip Address[/url]
    [url=http://www.syntax******.info/tools/base_converter.php]Base Converter[/url]
    --------------------------------
    [URL=http://www.boninroad.com/syntax******/]Old Site[/URL]
    [URL=http://www.syntax******.info]Comming Soon[/URL]

  2. #2
    Join Date
    Sep 2005
    Posts
    2,050
    Awesome tutorial.

    I've always wanted to implement PHP's session functionality on my site, but I wrote my own system entirely from scratch. Huge waste of time I guess.

    Shall we sticky threads like this and let the bullshit drop away?

  3. #3
    Join Date
    Jan 2005
    Posts
    623
    A sticky would be nice, but I would like to make sure my code is completely *******. I wrote everything from scratch, so I would like a few php coders to double check my wording and code for possible flaws.

    Do you know how to grab a local IP using Javascript? I want to add this to my code to fully validate the user.
    Last edited by SyntaXmasteR; 08-22-2007 at 02:39 PM.
    [url=http://www.syntax******.info/tools/services.php]Speed Up Windows XP[/url]
    [url=http://www.syntax******.info/tools/ip.php]Get An Ip Address[/url]
    [url=http://www.syntax******.info/tools/base_converter.php]Base Converter[/url]
    --------------------------------
    [URL=http://www.boninroad.com/syntax******/]Old Site[/URL]
    [URL=http://www.syntax******.info]Comming Soon[/URL]

  4. #4
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by SyntaX****** View Post
    Do you know how to grab a local IP using Javascript? I want to add this to my code to fully validate the user.
    I'm pretty sure you can't do this, although you could make an xmlhttp request to the server, then the server replies with the user's IP address.

    Never trust browsers for security though.

    I'm gonna sticky all the good threads.

  5. #5
    Join Date
    Jan 2005
    Posts
    623
    [url=http://www.syntax******.info/scripts/secure_session_control.php]UPDATED - Secure Session Control Tutorial[/url]
    I added diagrams and tried to clean up some of the jargon and simplify everything by giving more examples.
    Last edited by Ezekiel; 04-11-2009 at 03:45 PM.
    [url=http://www.syntax******.info/tools/services.php]Speed Up Windows XP[/url]
    [url=http://www.syntax******.info/tools/ip.php]Get An Ip Address[/url]
    [url=http://www.syntax******.info/tools/base_converter.php]Base Converter[/url]
    --------------------------------
    [URL=http://www.boninroad.com/syntax******/]Old Site[/URL]
    [URL=http://www.syntax******.info]Comming Soon[/URL]

+ Reply to Thread

Similar Threads

  1. Computer Control
    By EyeSpy in forum General discussion
    Replies: 2
    Last Post: 11-22-2008, 05:21 PM
  2. Session Hijacing Theory
    By Moonbat in forum Internet Privacy
    Replies: 23
    Last Post: 11-16-2007, 05:19 PM
  3. Help with Anyplace Control
    By weenis223 in forum Programming
    Replies: 0
    Last Post: 07-31-2007, 04:53 PM
  4. I'm so nasty. Trojan session
    By stevef22 in forum Viruses and Trojans
    Replies: 1
    Last Post: 09-13-2006, 08:21 AM
  5. How to have total control to other pc?!
    By Losing_grip in forum Viruses and Trojans
    Replies: 3
    Last Post: 03-07-2006, 07:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts