session_regenerate_id() problem

[sorenchr]

Hi

 

Im developing a login system. When a user is logged in to the system, they are surfing around members-only php-pages which validates the users credentials through a php-script called checkstatus.php(It is included as the first thing in every members-only pages). If the user passes the security check in checkstatus.php, their session ID's are regenerated through the session_regenerate_id() function. However, if im on a members-only and i hammer the refresh button serveral times, the user is automatically logged out(because i use sessions for validation, and they are updated for every page refresh with fresh data). So the sessions are not updated quickly enough with the new session ID before the validation happens again, and therefore the user is logged out.

 

Have any of you guys experienced this problem too? And is there a fix to cure this problem?

Thanks for your time.

[xtopolis]

It is not necessary to refresh the session id each page request.  If you are worried about session fixation, you could put other things in place to verify it's the same user [perhaps ip, user agent(browser), etc).

 

Otherwise if you are insistent on your method, you may try explicitly setting the cookie after regenerating the id.

[sorenchr]

Okay, perhaps i should elaborate a bit on my methods.

 

Two id's are randomly generated using a function, which is then assigned via sessions to the user, and they are also stored in the database. Everytime checkstatus.php is loaded, it regenerates these id's, stores them anew in the sessions and updates the database with the new id's. Furthermore the users ip address is also stored in the database(and also in a session), and a session which indicates if a user is logged in or not ($_SESSION['loggedin'] = 1). Would this be a secure enough solution then?

 

Furthermore, how should the session_regenerate_id() be used then? When a user logs out?

[xtopolis]

I think your database make be causing a lot of overhead unnecessarily.

 

It doesn't seem like you are using a custom session handler... so I don't think you really need to store it in a database.  PHP will most likely want to interface with the session first, and really that should be enough as long as you have authentication checks in there.

 

There aren't very many concrete things you can tell about a user from your end.  If you are having them login, you basically have this info:

-username

-password

-date/time they logged in

-an ip(subject to change/can be faked)

-their browser type (can be blank/faked) [called: user agent]

and i think there was something else.. but it doesn't matter

 

So in your session you could md5($username.$hashedpassword.$useragent) and check to see that none of that changes from page to page.

[sorenchr]

Interesting, i guess it never occured to me i could validate a user that way. Guess i have to rewrite a whole lot of code now .

 

Just a question for the current method im using, is it over-psycho-paranoid? I was working out from the idea, that if a malicious user was able to optain one of the id's, they would have to try forever to brute-force the second one.

[xtopolis]

If they could obtain one of the ideas, they could probably obtain both.  If you can make it work, go for it.  Over paranoid?  Depends what you're designing for.

[sorenchr]

Well i always design my applications with high security in mind, i dont like the idea of going in and rewriting a whole bunch of code when a project suddenly gets lots of users. I guess i'll try and play with your idea, i can see now why issuing new id's for each refresh is kind of silly. Thanks for your help.