1st attempt against session security

[casualventures]

I'm working on a user management backend for a web app. My first area of focus is session/cookie security.

 

I know the main security points I need to take into consideration are:

• Injection
  
• Session fixation
  
• Session sidejacking
  
• Cross-site scripting
  

 

Attached is the current version of the script. Not super pretty but gets the point across. Feel free to point out any deficiencies you see.

 

[attachment deleted by admin]

[casualventures]

Okay so I stayed up all night and made it better. Now the script has both a session generated on the fly as well as a constant token. I've got a few finishing touches to do but I actually think it's just about done. I think I need to go through and make the code a little cleaner and maybe throw a few more comments in there but after that I think it's time to move onto phase two. Here's a couple code snippets for your enjoyment, or if you don't wanna download the zip.

 

So the page structure is as follows:

• Session.php is where all the magic happens, it's always there included in the index.php
  
• There's a login.php which uses auth.php to log users in
  
• There's a register.php which uses create.php to create users
  

 

Session.php

<?php

// Database stuffff
mysql_connect("host", "user", "pass") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

// Check to see if the cookie exists
if(isset($_COOKIE['auth'])){

// What does it equal?
$cookie = $_COOKIE['auth'];

list($token, $session) = split('[-]', $cookie);

// Check database to see if cookie value is valid
$sql="SELECT * FROM users WHERE token='$token' AND session='$session'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);

// If the cookie is valid then display the user page content
if($count==1){ 
	$row = mysql_fetch_array( $result );
	$username = $row['username'];
	$authenticated = "true";

	// Change up the cookie to prevent fixation
	$session = sha1($username.time());
	$cookie = $token."-".$session;
	setcookie('auth', $cookie, time()+3600);
	mysql_query("UPDATE users SET session='$session' WHERE username='$username'");
}

// If the cookie is not valid then kill it and go back to login
else{
	setcookie('auth', '', time()-3600);
	header("location:?page=login");
	mysql_query("UPDATE users SET session='' WHERE token='$token'");
}	
}

?>

 

Create.php

<?php

$username = mysql_real_escape_string(stripslashes($_POST["username"]));

$password = sha1(mysql_real_escape_string(stripslashes($_POST["password"])));

$token = sha1($username.time());

$sql="SELECT * FROM users WHERE username='$username'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($username==""){
echo "Username can not be blank<br>";
}

elseif($password=="da39a3ee5e6b4b0d3255bfef95601890afd80709"){
echo "Password can not be blank";
}

elseif($count==1){ 
echo "Sorry. That username is already taken.";
}

else {
mysql_query("INSERT INTO users (username, password, token) VALUES('$username', '$password', '$token')") or die(mysql_error());
$session = sha1($username.time());
$cookie = $token."-".$session;
setcookie('auth', $cookie, time()+3600);
mysql_query("UPDATE users SET session='$session' WHERE username='$username'");
header("location:?page=user");
}

?>

 

Auth.php

<?php

$username = mysql_real_escape_string(stripslashes($_POST["username"]));

$password = sha1(mysql_real_escape_string(stripslashes($_POST["password"])));

$sql="SELECT * FROM users WHERE username='$username' and password='$password'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){ 

$row = mysql_fetch_array( $result );

$token = $row['token'];

$session = sha1($username.time());

mysql_query("UPDATE users SET session='$session' WHERE username='$username'");

$cookie = $token."-".$session;

setcookie('auth', $cookie, time()+3600);

header("location:?page=user");

}

else {

echo "Login invalid";

}

?>