Jump to content

1st attempt against session security


casualventures

Recommended Posts

I'm working on a user management backend for a web app. My first area of focus is session/cookie security.

 

I know the main security points I need to take into consideration are:

  • Injection
  • Session fixation
  • Session sidejacking
  • Cross-site scripting

 

Attached is the current version of the script. Not super pretty but gets the point across. Feel free to point out any deficiencies you see.

 

[attachment deleted by admin]

Link to comment
Share on other sites

Okay so I stayed up all night and made it better. Now the script has both a session generated on the fly as well as a constant token. I've got a few finishing touches to do but I actually think it's just about done. I think I need to go through and make the code a little cleaner and maybe throw a few more comments in there but after that I think it's time to move onto phase two. Here's a couple code snippets for your enjoyment, or if you don't wanna download the zip.

 

So the page structure is as follows:

  • Session.php is where all the magic happens, it's always there included in the index.php
  • There's a login.php which uses auth.php to log users in
  • There's a register.php which uses create.php to create users

 

Session.php

<?php

// Database stuffff
mysql_connect("host", "user", "pass") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

// Check to see if the cookie exists
if(isset($_COOKIE['auth'])){

// What does it equal?
$cookie = $_COOKIE['auth'];

list($token, $session) = split('[-]', $cookie);

// Check database to see if cookie value is valid
$sql="SELECT * FROM users WHERE token='$token' AND session='$session'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);

// If the cookie is valid then display the user page content
if($count==1){ 
	$row = mysql_fetch_array( $result );
	$username = $row['username'];
	$authenticated = "true";

	// Change up the cookie to prevent fixation
	$session = sha1($username.time());
	$cookie = $token."-".$session;
	setcookie('auth', $cookie, time()+3600);
	mysql_query("UPDATE users SET session='$session' WHERE username='$username'");
}

// If the cookie is not valid then kill it and go back to login
else{
	setcookie('auth', '', time()-3600);
	header("location:?page=login");
	mysql_query("UPDATE users SET session='' WHERE token='$token'");
}	
}

?>

 

Create.php

<?php

$username = mysql_real_escape_string(stripslashes($_POST["username"]));

$password = sha1(mysql_real_escape_string(stripslashes($_POST["password"])));

$token = sha1($username.time());

$sql="SELECT * FROM users WHERE username='$username'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($username==""){
echo "Username can not be blank<br>";
}

elseif($password=="da39a3ee5e6b4b0d3255bfef95601890afd80709"){
echo "Password can not be blank";
}

elseif($count==1){ 
echo "Sorry. That username is already taken.";
}

else {
mysql_query("INSERT INTO users (username, password, token) VALUES('$username', '$password', '$token')") or die(mysql_error());
$session = sha1($username.time());
$cookie = $token."-".$session;
setcookie('auth', $cookie, time()+3600);
mysql_query("UPDATE users SET session='$session' WHERE username='$username'");
header("location:?page=user");
}

?>

 

Auth.php

<?php

$username = mysql_real_escape_string(stripslashes($_POST["username"]));

$password = sha1(mysql_real_escape_string(stripslashes($_POST["password"])));

$sql="SELECT * FROM users WHERE username='$username' and password='$password'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){ 

$row = mysql_fetch_array( $result );

$token = $row['token'];

$session = sha1($username.time());

mysql_query("UPDATE users SET session='$session' WHERE username='$username'");

$cookie = $token."-".$session;

setcookie('auth', $cookie, time()+3600);

header("location:?page=user");

}

else {

echo "Login invalid";

}

?>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.