[SOLVED] regenerate session id

[tronicsmasta]

Hey guys,

 

I am trying to develope a strong secure website. I just started using sessions for the users of the site and no troubles...

 

I was reading a lot of regenerate_session_id() but am not sure what to use it for and its unclear if I should destroy the session or copy the info from the session or what... its pretty unclear on the PHP.net website...

 

so I turn to the experts here at PHPFreaks and ask What should I use ths for?!? lol

 

I basically have a login script on a few different pages, all do the same thing: eg query user+pass return true or false handle login based on true or false... I hear I should regenerate the session id every time someone logs in to prevent session id injections????

 

any input would be lovely!

 

Thanks,

 

Quinton

[MadTechie]

When you use Sessions you get a session key, this is stored in a cookie or the URL,

this key links the clients browser to a set of varibles on the server,

 

while this works well a problem exists where as another use may sniff the transaction or by whatever means find out the key, their can then edit/create their own cookie/get request with the same key and thus spoofing your transactions, (look up "session hijacking"),

 

regenerate session id, will assign a new key to that member, thus reducing the chances of it beening hi-jacked, other things you should also do are store the members IP and Agent in a session and compare them to check they are the same as the users..

 

hope that makes sense

[tronicsmasta]

that helps alot... so i should kinda modify my code to add a regenerate session and store their ip and agent...

 

eg (non working just for example purpose)

// comes from login script
if ( $_SESSION['loggedin'] == "yes" ) {

session_regenerate_id();
$useragent = getenv("HTTP_USER_AGENT");
$ip = getenv("REMOTE_ADDR");

$_SESSION[ip] = $ip;
$_SESSION[useragent] = $useragent;}

// checking to make sure $_session is valid and the same person
if ( $_SESSION[valid] == "yes" ) {

     if ( $_SESSION[useragent] == getenv("HTTP_USER_AGENT")) {

          if ( $_SESSION[ip] == getenv("REMOTE_ADDR")) {

             //all is ok do what i need to here...
                     } //end check ip
                     else { //redirect to login page}
              } //end check agent
                else { //redirect to login page}
       } // end check valid session
         else { //redirect to login page }

 

is that sound about right? anything you can see wrong with this or any ideas to ensure the safety of my website against session hacks?

 

thank you!

[MadTechie]

not sure about what the

$_SESSION[valid] == "yes" 

is for

 

but the rest looks fine

 

code note:

$_SESSION[ip] = $ip;

should be

$_SESSION['ip'] = $ip;

same for the useragent and valid session

[tronicsmasta]

not sure about what the

$_SESSION[valid] == "yes" 

is for

 

but the rest looks fine

 

code note:

$_SESSION[ip] = $ip;

should be

$_SESSION['ip'] = $ip;

same for the useragent and valid session

 

i thought it should be that way but all the sessions tutorials are not showing to use the single quotes... odd... it works though but i will try making it all uniform with the single quotes.

 

Thanks for your help guy!

[MadTechie]

if you use

$_SESSION[var]

then var is treated as a constant, php look for the value of the constant and fails, so it decided to use the contant name instead.. which is 'var'

where as

$_SESSION['var'] uses var no questions asked

 

example

<?php

session_start();

 

//test then comment/remove the line below

define("VAR", "Hello world.");

 

$_SESSION[VAR] = "Test1"; //sets $_SESSION["Hello world."] becuase the constant is set

$_SESSION['VAR'] = "Test2";

 

echo $_SESSION[VAR];

echo $_SESSION['VAR'];

 

?>