casualventures Posted April 28, 2011 Share Posted April 28, 2011 I'm working on a user management backend for a web app. My first area of focus is session/cookie security. I know the main security points I need to take into consideration are: Injection Session fixation Session sidejacking Cross-site scripting Attached is the current version of the script. Not super pretty but gets the point across. Feel free to point out any deficiencies you see. [attachment deleted by admin] Quote Link to comment https://forums.phpfreaks.com/topic/234951-1st-attempt-against-session-security/ Share on other sites More sharing options...
casualventures Posted April 28, 2011 Author Share Posted April 28, 2011 Okay so I stayed up all night and made it better. Now the script has both a session generated on the fly as well as a constant token. I've got a few finishing touches to do but I actually think it's just about done. I think I need to go through and make the code a little cleaner and maybe throw a few more comments in there but after that I think it's time to move onto phase two. Here's a couple code snippets for your enjoyment, or if you don't wanna download the zip. So the page structure is as follows: Session.php is where all the magic happens, it's always there included in the index.php There's a login.php which uses auth.php to log users in There's a register.php which uses create.php to create users Session.php <?php // Database stuffff mysql_connect("host", "user", "pass") or die(mysql_error()); mysql_select_db("database") or die(mysql_error()); // Check to see if the cookie exists if(isset($_COOKIE['auth'])){ // What does it equal? $cookie = $_COOKIE['auth']; list($token, $session) = split('[-]', $cookie); // Check database to see if cookie value is valid $sql="SELECT * FROM users WHERE token='$token' AND session='$session'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // If the cookie is valid then display the user page content if($count==1){ $row = mysql_fetch_array( $result ); $username = $row['username']; $authenticated = "true"; // Change up the cookie to prevent fixation $session = sha1($username.time()); $cookie = $token."-".$session; setcookie('auth', $cookie, time()+3600); mysql_query("UPDATE users SET session='$session' WHERE username='$username'"); } // If the cookie is not valid then kill it and go back to login else{ setcookie('auth', '', time()-3600); header("location:?page=login"); mysql_query("UPDATE users SET session='' WHERE token='$token'"); } } ?> Create.php <?php $username = mysql_real_escape_string(stripslashes($_POST["username"])); $password = sha1(mysql_real_escape_string(stripslashes($_POST["password"]))); $token = sha1($username.time()); $sql="SELECT * FROM users WHERE username='$username'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($username==""){ echo "Username can not be blank<br>"; } elseif($password=="da39a3ee5e6b4b0d3255bfef95601890afd80709"){ echo "Password can not be blank"; } elseif($count==1){ echo "Sorry. That username is already taken."; } else { mysql_query("INSERT INTO users (username, password, token) VALUES('$username', '$password', '$token')") or die(mysql_error()); $session = sha1($username.time()); $cookie = $token."-".$session; setcookie('auth', $cookie, time()+3600); mysql_query("UPDATE users SET session='$session' WHERE username='$username'"); header("location:?page=user"); } ?> Auth.php <?php $username = mysql_real_escape_string(stripslashes($_POST["username"])); $password = sha1(mysql_real_escape_string(stripslashes($_POST["password"]))); $sql="SELECT * FROM users WHERE username='$username' and password='$password'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ $row = mysql_fetch_array( $result ); $token = $row['token']; $session = sha1($username.time()); mysql_query("UPDATE users SET session='$session' WHERE username='$username'"); $cookie = $token."-".$session; setcookie('auth', $cookie, time()+3600); header("location:?page=user"); } else { echo "Login invalid"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/234951-1st-attempt-against-session-security/#findComment-1207529 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.