FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Relatively Secure Session Management System for PHP





imagefree
I was looking for ways to protect my website from a series of Attacks launched against Sessions, that result in loss of Personal Information of Website users. You can read more about these attacks at Session Fixation, Hijaking Attacks and Session Vulneribility on shared hosts.

After reading a lot, I came to a solution that relying just on php's builtin support for sessions is not enough, and you have to apply some extra security measures to secure your user data stored in sessions, may be by developing a custom session menegement system that suits your needs.

Most of the time, security needs of all of us are the same (maximum possible security at minimum cost), so i decided to write a piece of code that can help you manage your users' sessions with the ease and flexibility that you get from php and with an advantage that you can at any time edit the configuration without the need to restart the server.

Features
- Easy Customizable Configuration,
- Most Secure Session Management specially for Shared Hosts,
- Supports its own parameters for customization rather than relying on php's settings,
- Builtin Support Against All Known Session Attacks (nothing to do extra. just install and use),
- Relies on just cookies for transfer of session id to users,
- A 16 digit secure id with first 3 digits for session integrity check,
- Save users' session data anywhere you want (preferably outside the web root) with ease to change the location of session data in configuration file,
- Easy error logging,
- Automatic regeneration of session id on each request for extreme security,
- Garbage Collection. This script automatically deletes the old and useless session files after a reasonable time. You can configure its behaviour.


How this system works?
When you start using this script, you get an option to let this script automatically start sessions (just like php's session.autostart or you opt to do it yourself. Whatever way you adopt, it fetches the session id from cookie. Which cookie? You can set the cookie name in the Configuration file. If the cookie doesnt yet exist, it starts a new session.

Where cookie already exists, the session id is collected from the cookie and validated for integrity. Validation includes checking whether the cookie belongs to the same user that is currently sending this cookie (this check is based on HTTP_USER_AGENT). Another check is applied to ensure that some malicious user doesnt change the usercheck part of the session id, and add its own part to get access as the original user. To secure all this process, a security key is included. You can change the security key in the configuration file. Keep the security key as long as possible (possibly between 40-100 characters).

Once the session key is validated, it checks whether a session file exists for the same id! This check is included for three reasons:

1. May be the malicious user gueses your securoty key and attempts to write a session id that passes your validation,
2. May be the session file is deleted because the user was inactive for a long time,
3. May be you have changed the session file prefix in the configuration.


This check provides safeguard against all the above three problems.
If the outcome of all the checks is success, the session data is read from file and transfered to php's $_SESSION superglobal array. Now on you can access this array anywhere from within your script.
Remember! There is no need to use session_start() to initialize session.

How to use?
Using this script is very simple, and if you are just a little familiour with OOP, you will find it very easy to modify. Here is a tutorial:

Code:
<?php
require('some/directory/outside/the/web-root/class.sessions.php');
$session = new session();
//Now you are free to use $_SESSION;

if(isset($_SESSION['key']))
     echo 'It already Exists';
else
     $_SESSION['key']   =   'Hello World!';

//Now you need to force save the $_SESSION data to session file. Use code below
$session->close();
?>



Code:
//use
$session->destroy();
//to delete the current session data from the session file.
//Remember, if you use $session->close() after you have destroyed
//the session data, it will restore the session data because the
//destroy() doesnt delete session data from $_SESSION variable.
//it just deletes the data inside the session file.
//this function is useful when you are logging the user out, or when
//you have already closed the session file using $session->close()


//use
$session->clear();
//to clear the $_SESSION variable (but the session data still exists in session file.


//use
$session->clear();
$session->destroy();
//to remove all traces of user's activity.

$session->errors;
//returns all the errors that have occured during the process. It helps
//you fixing the config problem most of the time.

//use
$session->gc($id);
//where $id may be the id of any session (this or other person's)
//it helps you force deleting the session file of a particular user

//use $session->gc();
//to delete all old unused session files. What is old? you can define it in configuration.
//Normally there is no need to use gc() to delete old files.
//This class automatically deletes old files after some time.

//and finally use
$session->generate_id();
//to generate a random id and return the id value.
//normally you do not need to call this function,
//session id is generated automatically.
//but this function is called if you want to generate a 16 digit random id.

//and use
$session->regenerate_id();
//to regenerate session id, replace existing id with this, send cookie of
//new id, rename session file with new id etc.
//CALL THIS FUNCTION BEFORE ANY ACTUAL OUTPUT STARTS
//this class automatically regenerates id on each request, so normally you do not need to call this function.



Requirements:
PHP's latest version that you can have.
Read Write permission and Access to file system.
Directory to save the sessions must already exist.

Security Tips:
Keep the session directory and this class outside the web root.
Do not forget to change the security code. Your system's reliability and security depends upon the security code.


i was not able to post the script because a 500 Internal error occured when i tried to post a long message.

Download this file.
http://uploading.com/files/APD3WS2D/class.rar.html
http://rapidshare.com/files/228535703/class.rar.html
password:
sessionclass


EDIT:
This class is E_ALL AND E_NOTICE Compliant.
kacsababa
I'm not on top with session security, so can't write a review, but sounds good, thanks! ^^
Related topics
[tutor] How to protect images without htaccess using PHP
News management system...
ASP content management system
Content Management System Wanted
Which is the best content management software
PHP problem...
Olympus website integration
problem when using ob_start("ob_gzhandler") on php
Online Questionnaire management system
MemHT Portal Free Content Management System - Freeeeeeeeee
Session Management - Comments Required
Simple Uscalable Content Management System
PHP on server without database
Secure log in System
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.