Jump to content

Random String // For use with sessions


FrOzeN

Recommended Posts

So I understand sessions have a few security issues and can be stolen, to lower the risk my idea was:

[list]
[*]Create a Session
[*]Give it only 1 value which is a random string
[*]Have a table in a MySQL database which handles temporary data between forms and is queried via the random string, it also compares the IP address to the IP address which the session's random string was created for to assure the session hasn't been stolen.
[*].. Still use sessions to store other data that doesn't require any "security" or risk if stolen, like "hide navigation toggle" variables and such, for guests.
[/list]

This code works fine to create a random string, but as I'm very knew to php I was wondering if improvements can be applied. Namely the function is what I'll use, the other part is/was just for testing.
[code]<?php

function randomstring() {
    for ($i = 0; $i < 24; $i++) {
        $rndnum = mt_rand(0, 61);
        if ($rndnum < 10) {
            $rndstr .= $rndnum;
        } else if ($rndnum < 36) {
            $rndstr .= chr($rndnum + 55);
        } else {
            $rndstr .= chr($rndnum + 61);
        }
    }
    return $rndstr;
}

echo "<pre>";

for ($a = 1; $a < 11; $a++) {
    if ($a != 10) {
        echo " #" . $a . ":  " . randomstring() . "\n";
    } else {
        echo "#10:  " . randomstring() . "</pre>";
    }
}

?>[/code]

Also, I'd appreciate any comments on my concept about session security, like flaws which I may of missed, etc.

[EDIT] I was just reading over [url=http://www.phpfreaks.com/forums/index.php/topic,109169.0.html]this[/url] topic and noticed the mention of HTTP_USER_AGENT (#3 there), which I think I should also add as a comparison. I can't think of any reason why they would change whilst the session still exists.
Link to comment
Share on other sites

Instead of having temporary data being parsed around sessions, I'm doing it this way:

Everytime the user logs in, (or remembered by a cookie), a session is generated with new id and is given that random string. The section id, random string, HTTP_USER_AGENT, user's IP address, current time/date, and username is then added to a MySQL table.

Then on every page the user views, it looks up the table grabbing the row defined by their random string. From that row it compares their HTTP_USER_AGENT and IP address to that stored in table. If they match it can then use the 'username' property in the table to lookup further information about the user, it also updates the time variable (it's used for the 'Online Users' page by listing all users who's time is within 20 minutes).

As far as I know, this should be secure as if the session is stolen, the IP address is unlikely to be spoofed, and the HTTP_USER_AGENT is just a little extra measure. I'm not *certain*, but I can't think of any reason why or how the HTTP_USER_AGENT/IP address would change whilst viewing the website so it shouldn't cause any problems to legit users, remembering this is only compared for 'sessions', not remembering via cookies.

Any flaws I'm not considering? And any improvements that could possibly make that minor segment of code more efficient/faster?

Note: I'll be using this topic to get feedback on my code whilst I create this, so that's why I kept it out of the Application Design/Layout forum.
Link to comment
Share on other sites

Assuming the your computer doesn't have any proxie software installed to allow others to use your IP address as a proxie, can they attain the same $_SERVER['REMOTE_ADDR']? If so, could I get some links/suggests to other ways to add more authentication to avoid session hijacking.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.