PHP Session Security Tips

Question

this is what I'm doing currently to create sessions on login page.

if($count==1) {

   $_SESSION['username'] = $username;
   $_SESSION['password'] = $password;
}

i know this is very basic and I need to protect the user sessions. Can u provide me some basic tips. If you could edit the code and write the secure one, it would be great. Thanks.

Currently, I am using the email address as session username.

Answer 1

Ask yourself this question:

• Why am I storing the password when the username is unique in the database

After you have answered that you should of come to the conclusion that its pointless, you can either store the username or the user id in the session when it comes to login systems.

How login systems tend to work is that the user sends the username password from a form to the server where its validated, during the validation process you select the user from the database where username = post_username.

If there is no rows found the user does not exist so you can directly send output at that point, if the user does exist you then compare the password with the post_password.

The reason why we specifically select the row by just the username is that you should be incorporating some sort of hashing system to add extra security.

If you stored the password as (password + hash) which would be a new string, you would also store just the hash as well. Thus if a user is found then you can create a hash from (post_password + db_hash) and check to see if its the same as the db_password.

This way if your database gets leaked somehow your users credentials are more secure.

Once the user has been validated you would store the user id within the session, and then on every page load you can check if the id is within the session and if it is the user is currently logged in and you can select the users data by SELECT * FROM users WHERE id = session_id.

This should get you started.

Answer 2

Common practice is to check the user name and password against the database, then on success store just the user id in the session. Then later, to see if a person is logged in or authorized, you check that user id stored in the session. Though, the session variables are only visible to the server unless you've done something horribly wrong. So its not horrible or insecure but its basically unnecessary.

Edit

Removed bit about cookies, could cause confusion.

Answer 3

/*
    SecureSession class
    Written by Vagharshak Tozalakyan <vagh@armdex.com>
    Released under GNU Public License
*/

class SecureSession {
    // Include browser name in fingerprint?
    var $check_browser = true;
    // How many numbers from IP use in fingerprint?
    var $check_ip_blocks = 0;
    // Control word - any word you want.
    var $secure_word = 'random_string_here';
    // Regenerate session ID to prevent fixation attacks?
    var $regenerate_id = true;

    // Call this when init session.
    function Open()
    {
        $_SESSION['ss_fprint'] = $this->_Fingerprint();
        $this->_RegenerateId();
    }

    // Call this to check session.
    function Check()
    {
        $this->_RegenerateId();
        return (isset($_SESSION['ss_fprint'])

        && $_SESSION['ss_fprint'] == $this->_Fingerprint());
    }

    function Destroy()
    {
        // Unset all of the session variables.
        $_SESSION = array();

        // If it's desired to kill the session, also delete the session cookie.
        // Note: This will destroy the session, and not just the session data!
        if (isset($_COOKIE[session_name()])) {
            setcookie(session_name(), '', time()-42000, '/');
        }

        // Finally, destroy the session.
        session_destroy();
    }


    // Internal function. Returns MD5 from fingerprint.
    function _Fingerprint()
    {
        $fingerprint = $this->secure_word;
        if ($this->check_browser)
            $fingerprint .= $_SERVER['HTTP_USER_AGENT'];

        if ($this->check_ip_blocks)
        {
            $num_blocks = abs(intval($this->check_ip_blocks));

            if ($num_blocks > 4)
                $num_blocks = 4;

            $blocks = explode('.', $_SERVER['REMOTE_ADDR']);

            for ($i=0; $i<$num_blocks; $i++)
            {
                $fingerprint .= $blocks[$i] . '.';
            }
        }
        return md5($fingerprint);
    }

    // Internal function. Regenerates session ID if possible.
    function _RegenerateId()
    {
        if ($this->regenerate_id && function_exists('session_regenerate_id'))
            session_regenerate_id();

    }
}