Jump to content

Recommended Posts

So recently i've spent lots of time learning about session fixation and found out that session without any kind of protection can be huge bitch  >:(

 

I wrote this class for validating session and to block session hijackers. Within my closed testing i found it working (generating id blahblah) but i'd like your opinitions on this:

 

I have three public functions for using (plus constructor).

My comments here are in finnish so i'll  explain:

First we define class with username (this is for login scripts :P) to use in creating hash, after that there's those three functions:

 

generate_id() to generate new validation hash and store it to session. This function should be called when user has been verified and and has logged in.

 

validate() should validate current session, simply returning true if its valid  and false if it thínks session has been hijacked.

 

suddenDeath() vill validate session and if valid, do nothing but if it thinks its hijacked, refers person to defined site (ask password at that site to revalidate user maybe?)

 

class xSession{
	var $_usr; //tallennetaan KÄYTTIS
	var $_salt = "customVillenSuolaTahan"; //Täs supahleet suola
	var $_redirect = "index.php"; //Mihin useri ohjataan jos EXTERMINOINTI tärppää
	function __construct($username){ //rakkennetaan
		$this->_usr = $username; //ei ees tarvii kommentoida varmaa 
	}
	protected function _generateHash(){
		$info = array(); //Alustetaan info
		array_push($info, $this->_usr, $this->_salt, $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT']); //Lämitää vähä infoo tiskii
		return md5(implode('xXx', $info)); 
	}
	public function generate_id(){ //Tää regeneroi id:n, pitäsi käyttää VÄHINTÄÄ loginis aina
		if(!isset($_SESSION['validate']) || $this->validate()){ //Ei anneta boogien tehä uutta id:tä 
			session_regenerate_id(); //regeneroidaan id
			$_SESSION['validate'] = $this->_generateHash();//Tehdään ja tallennetaan validointihash
		}
	}
	public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD
		return ((bool) $_SESSION['validate'] == $this->_generateHash()) ? true : false;
	}
	public function suddenDeath(){ //SUDDENDEATH OMG!!
		if(!$this->validate()) header('location: ' . $this->_redirect);
	}
}

public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD
return ((bool) $_SESSION['validate'] == $this->_generateHash()) ? true : false;
}

should be

public function validate(){ //Jos annetaan true niin kuollaan jos feilaa EDIT: TAI SIT EI XD
return ($_SESSION['validate'] == $this->_generateHash()) ? true : false;
}

I dont even know why i added (bool) in the first place :D Didnt think that one quite trough :P

return ($_SESSION['validate'] == $this->_generateHash()) ? true : false;

 

You don't need this extra typing $_SESSION['validate'] == $this->_generateHash() will return a boolean true if they match or a boolean false if not. So ? true : false; is redundant, don't state the obvious.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.