Jump to content


Photo

Random String // For use with sessions


  • Please log in to reply
4 replies to this topic

#1 FrOzeN

FrOzeN
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 03 October 2006 - 06:46 AM

So I understand sessions have a few security issues and can be stolen, to lower the risk my idea was:

  • Create a Session
  • Give it only 1 value which is a random string
  • Have a table in a MySQL database which handles temporary data between forms and is queried via the random string, it also compares the IP address to the IP address which the session's random string was created for to assure the session hasn't been stolen.
  • .. Still use sessions to store other data that doesn't require any "security" or risk if stolen, like "hide navigation toggle" variables and such, for guests.

This code works fine to create a random string, but as I'm very knew to php I was wondering if improvements can be applied. Namely the function is what I'll use, the other part is/was just for testing.
<?php

function randomstring() {
    for ($i = 0; $i < 24; $i++) {
        $rndnum = mt_rand(0, 61);
        if ($rndnum < 10) {
            $rndstr .= $rndnum;
        } else if ($rndnum < 36) {
            $rndstr .= chr($rndnum + 55);
        } else {
            $rndstr .= chr($rndnum + 61);
        }
    }
    return $rndstr;
}

echo "<pre>";

for ($a = 1; $a < 11; $a++) {
    if ($a != 10) {
        echo " #" . $a . ":   " . randomstring() . "\n";
    } else {
        echo "#10:   " . randomstring() . "</pre>";
    }
}

?>

Also, I'd appreciate any comments on my concept about session security, like flaws which I may of missed, etc.

[EDIT] I was just reading over this topic and noticed the mention of HTTP_USER_AGENT (#3 there), which I think I should also add as a comparison. I can't think of any reason why they would change whilst the session still exists.

#2 Hi I Am Timbo

Hi I Am Timbo
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 03 October 2006 - 07:02 AM

If the random string is stored in the session, wouldn't that be stolen too?

#3 FrOzeN

FrOzeN
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 03 October 2006 - 07:40 AM

Instead of having temporary data being parsed around sessions, I'm doing it this way:

Everytime the user logs in, (or remembered by a cookie), a session is generated with new id and is given that random string. The section id, random string, HTTP_USER_AGENT, user's IP address, current time/date, and username is then added to a MySQL table.

Then on every page the user views, it looks up the table grabbing the row defined by their random string. From that row it compares their HTTP_USER_AGENT and IP address to that stored in table. If they match it can then use the 'username' property in the table to lookup further information about the user, it also updates the time variable (it's used for the 'Online Users' page by listing all users who's time is within 20 minutes).

As far as I know, this should be secure as if the session is stolen, the IP address is unlikely to be spoofed, and the HTTP_USER_AGENT is just a little extra measure. I'm not *certain*, but I can't think of any reason why or how the HTTP_USER_AGENT/IP address would change whilst viewing the website so it shouldn't cause any problems to legit users, remembering this is only compared for 'sessions', not remembering via cookies.

Any flaws I'm not considering? And any improvements that could possibly make that minor segment of code more efficient/faster?

Note: I'll be using this topic to get feedback on my code whilst I create this, so that's why I kept it out of the Application Design/Layout forum.

#4 Hi I Am Timbo

Hi I Am Timbo
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 03 October 2006 - 11:51 AM

The only thing that adds security to that is the IP address, which can also be spoofed.  I'm not sure, but I don't think it is actually any more secure.

#5 FrOzeN

FrOzeN
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 03 October 2006 - 12:21 PM

Assuming the your computer doesn't have any proxie software installed to allow others to use your IP address as a proxie, can they attain the same $_SERVER['REMOTE_ADDR']? If so, could I get some links/suggests to other ways to add more authentication to avoid session hijacking.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users