(I did not want to hijack the post more then i already have =X)
In advance, im not "arguing" with you at all, im just bouncing some ideas off you, let that be clear about that above all.
I don't want to ever start a session off a Cookie.
Mainly because I want to avoid having to worry about cookies being enabled but also because I feel I can control the application better by passing the session_id along the url. Thinking as a hacker/exploiter I would try and go after the COOKIE from the browser rather then try and get it from the server. I know I have protected my self from these exploits to a degree but i still think it would be good just to have 1 more thing a hacker/exploiter would have to do inorder to retrive the session_id and jacking the session.
Now i know the someone could just packet sniff the session_id from the url (provided that the user is not under SSL) so i added the ip_address & browser_info as additional validation of the user. I figure he will have to at least be on their WAP and using their exact same browser type & version.
I think im just worried that making my application get its SID from the client is not a good idea and it would be better to just delete the session started from the cookie and generate a new session. Maybe im too paranoid though
The session is what allows the user to access the application but only if the session has the proper validation vars and the vars match the user. If at any point they dont match or the vars dont exist or the session_id is not in the url the application kicks the user to the log in page.
In terms of GC im making the max life 3 hours, I belive that every time this session gets accessed the 3 hour count down gets renewed. So if im not using cookies i "belive" this will work as a way for keeping the session alive. Even if GC runs the session will not be older then 3 hours and thus not get deleted. The session are stored in a differnt directory and the MaxLifeTime of all the sessions are the same.
So ill show you what is working for me at this point in time and let me know if you see area for improvement. =)
Step 1, Login: login.php
PHP Code:
ini_set('session.gc_maxlifetime','10800'); // SESSION STAYS ALIVE FOR 3 HOURS
session_save_path ($_SERVER['DOCUMENT_ROOT'].'/../sessions'); // NEW DIRECTORY WHERE SESSIONS WILL BE STORED.
session_start();
if(isset($HTTP_SESSION_VARS['ip_address']) && isset($HTTP_SESSION_VARS['browser_info']) && isset($HTTP_SESSION_VARS['sid']))
{
if($HTTP_SESSION_VARS['ip_address'] == $HTTP_SERVER_VARS['REMOTE_ADDR'] &&
$HTTP_SESSION_VARS['browser_info'] == $HTTP_SERVER_VARS['HTTP_USER_AGENT'] &&
$HTTP_SESSION_VARS['sid'] == session_id()) // USER IS LOGGING OUT
{
session_unset();
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
}
else
{
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
}
}
else
{
session_unset();
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
}
So basically it check for the vars, then checks to see if its the user logging out, if its not the user logging out then its the malicious user trying to login and malicious user's cookie is then removed. Then with the "else" it varafies there is no left over session information, unsets the session deletes the cookie that was made on the page start and destorys the session.
Step 2, Authentication: autenticate.php (This is only part of the script only runs after the user has been authenticated.)
PHP Code:
ini_set('session.gc_maxlifetime','10800'); // SESSION STAYS ALIVE FOR 3 HOURS
session_save_path ($_SERVER['DOCUMENT_ROOT'].'/../sessions'); // NEW DIRECTORY WHERE SESSIONS WILL BE STORED.
session_start();
if(isset($HTTP_SESSION_VARS['ip_address']) && isset($HTTP_SESSION_VARS['browser_info']) && isset($HTTP_SESSION_VARS['sid'])) // If an existing session is found with validation data.
{
if($HTTP_SESSION_VARS['ip_address'] == $HTTP_SERVER_VARS['REMOTE_ADDR'] &&
$HTTP_SESSION_VARS['browser_info'] == $HTTP_SERVER_VARS['HTTP_USER_AGENT'] &&
$HTTP_SESSION_VARS['sid'] == session_id()) // if validation data matched the user
{
session_unset();
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
session_start();
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
}
else // Malicious user is trying to hijack a the session delete his cookie. (this could have more in the way of logging but ill add it later)
{
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
}
}
else // delete the session, start a new session, delete the cookie generated.
{
session_unset();
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
session_start();
if(isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time()-42000, '/');
}
}
Step 3, Page to Page Authentication and Session Renew
PHP Code:
if(!isset($HTTP_GET_VARS['sid'])) // Check for the SID in the URL.
{
create_box('<font size="3">ADCSM requires you to <b>Log In</b> before accessing this page.</font>','<b>Error</b>: Login Required','<center>Redirecting to <b>Log In</b>.</center>','red',true,'login.php',6);
}
else
{
ini_set('session.gc_maxlifetime','10800'); // SESSION STAYS ALIVE FOR 3 HOURS
session_save_path ($_SERVER['DOCUMENT_ROOT'].'/../sessions'); // NEW DIRECTORY WHERE SESSIONS WILL BE STORED.
session_id($HTTP_GET_VARS['sid']);
session_start();
if(!isset($HTTP_SESSION_VARS['sid']) || $HTTP_GET_VARS['sid'] != $HTTP_SESSION_VARS['sid']) // Check for the session_id var and make sure no it has not been courrupted.
{
create_box('<font size="3">You have been inactive more then 3 hours.','<b>Error</b>: Session Inactivity</font>','<center>Redirecting to <b>Log In</b>.</center>','green',true,'login.php',6);
}
elseif(!isset($HTTP_SESSION_VARS['ip_address']) || $HTTP_SESSION_VARS['ip_address'] != $HTTP_SERVER_VARS['REMOTE_ADDR']) // Check that the users ip_address matched the address of the user who created the session.
{
create_box('<font face="arial" color="red" size="3"><b>Session Hacking Detected</b></font>','<b>Hacking Attempt</b>','<center>IP Address ('.$HTTP_SERVER_VARS['REMOTE_ADDR'].') Logged.</center>','red',true,'login.php',3);
}
elseif(!isset($HTTP_SESSION_VARS['browser_info']) || $HTTP_SESSION_VARS['browser_info'] != $HTTP_SERVER_VARS['HTTP_USER_AGENT']) // Check that the users browser_info matched the browser_info of the user who created the session.
{
create_box('<font face="arial" color="red" size="3"><b>Session Hacking Detected</b></font>','<b>Hacking Attempt</b>','<center>IP Address ('.$HTTP_SERVER_VARS['REMOTE_ADDR'].') Logged.</center>','red',true,'login.php',3);
}
}
The "create_box()" is a function that will create standardized boxes and will either return the box's HTML code or will output a HTML page with the box center then kill the script (a self made error.) Any of the error will send the user back to the login page where step 1 will take care of resetting the session.
Session Security (Continued from post below)
Linear Mode
