SaMike Posted February 26, 2011 Share Posted February 26, 2011 So recently i've spent lots of time learning about session fixation and found out that session without any kind of protection can be huge bitch I wrote this class for validating session and to block session hijackers. Within my closed testing i found it working (generating id blahblah) but i'd like your opinitions on this: I have three public functions for using (plus constructor). My comments here are in finnish so i'll explain: First we define class with username (this is for login scripts ) to use in creating hash, after that there's those three functions: generate_id() to generate new validation hash and store it to session. This function should be called when user has been verified and and has logged in. validate() should validate current session, simply returning true if its valid and false if it thínks session has been hijacked. suddenDeath() vill validate session and if valid, do nothing but if it thinks its hijacked, refers person to defined site (ask password at that site to revalidate user maybe?) class xSession{ var $_usr; //tallennetaan KÄYTTIS var $_salt = "customVillenSuolaTahan"; //Täs supahleet suola var $_redirect = "index.php"; //Mihin useri ohjataan jos EXTERMINOINTI tärppää function __construct($username){ //rakkennetaan $this->_usr = $username; //ei ees tarvii kommentoida varmaa } protected function _generateHash(){ $info = array(); //Alustetaan info array_push($info, $this->_usr, $this->_salt, $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT']); //Lämitää vähä infoo tiskii return md5(implode('xXx', $info)); } public function generate_id(){ //Tää regeneroi id:n, pitäsi käyttää VÄHINTÄÄ loginis aina if(!isset($_SESSION['validate']) || $this->validate()){ //Ei anneta boogien tehä uutta id:tä session_regenerate_id(); //regeneroidaan id $_SESSION['validate'] = $this->_generateHash();//Tehdään ja tallennetaan validointihash } } public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD return ((bool) $_SESSION['validate'] == $this->_generateHash()) ? true : false; } public function suddenDeath(){ //SUDDENDEATH OMG!! if(!$this->validate()) header('location: ' . $this->_redirect); } } Quote Link to comment https://forums.phpfreaks.com/topic/228883-session-validation-class-am-i-doing-it-right/ Share on other sites More sharing options...
SaMike Posted February 26, 2011 Author Share Posted February 26, 2011 public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD return ((bool) $_SESSION['validate'] == $this->_generateHash()) ? true : false; } should be public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD return ($_SESSION['validate'] == $this->_generateHash()) ? true : false; } I dont even know why i added (bool) in the first place Didnt think that one quite trough Quote Link to comment https://forums.phpfreaks.com/topic/228883-session-validation-class-am-i-doing-it-right/#findComment-1179893 Share on other sites More sharing options...
SaMike Posted February 27, 2011 Author Share Posted February 27, 2011 Bumping this to get opinitions if this indeed would be safe and wise to use or not Quote Link to comment https://forums.phpfreaks.com/topic/228883-session-validation-class-am-i-doing-it-right/#findComment-1180192 Share on other sites More sharing options...
ignace Posted February 27, 2011 Share Posted February 27, 2011 return ($_SESSION['validate'] == $this->_generateHash()) ? true : false; You don't need this extra typing $_SESSION['validate'] == $this->_generateHash() will return a boolean true if they match or a boolean false if not. So ? true : false; is redundant, don't state the obvious. Quote Link to comment https://forums.phpfreaks.com/topic/228883-session-validation-class-am-i-doing-it-right/#findComment-1180249 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.