So recently i've spent lots of time learning about session fixation and found out that session without any kind of protection can be huge bitch
I wrote this class for validating session and to block session hijackers. Within my closed testing i found it working (generating id blahblah) but i'd like your opinitions on this:
I have three public functions for using (plus constructor).
My comments here are in finnish so i'll explain:
First we define class with username (this is for login scripts ) to use in creating hash, after that there's those three functions:
generate_id() to generate new validation hash and store it to session. This function should be called when user has been verified and and has logged in.
validate() should validate current session, simply returning true if its valid and false if it thínks session has been hijacked.
suddenDeath() vill validate session and if valid, do nothing but if it thinks its hijacked, refers person to defined site (ask password at that site to revalidate user maybe?)
class xSession{
var $_usr; //tallennetaan KÄYTTIS
var $_salt = "customVillenSuolaTahan"; //Täs supahleet suola
var $_redirect = "index.php"; //Mihin useri ohjataan jos EXTERMINOINTI tärppää
function __construct($username){ //rakkennetaan
$this->_usr = $username; //ei ees tarvii kommentoida varmaa
}
protected function _generateHash(){
$info = array(); //Alustetaan info
array_push($info, $this->_usr, $this->_salt, $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT']); //Lämitää vähä infoo tiskii
return md5(implode('xXx', $info));
}
public function generate_id(){ //Tää regeneroi id:n, pitäsi käyttää VÄHINTÄÄ loginis aina
if(!isset($_SESSION['validate']) || $this->validate()){ //Ei anneta boogien tehä uutta id:tä
session_regenerate_id(); //regeneroidaan id
$_SESSION['validate'] = $this->_generateHash();//Tehdään ja tallennetaan validointihash
}
}
public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD
return ((bool) $_SESSION['validate'] == $this->_generateHash()) ? true : false;
}
public function suddenDeath(){ //SUDDENDEATH OMG!!
if(!$this->validate()) header('location: ' . $this->_redirect);
}
}