Bullet proof sessions not working

[AdRock]

I have been following an article on creating bullet proof sessions but I'm having problems with session variables i'm creating getting destroyed

 

I call the session_start() like this

SessionManager::sessionStart('MySession', 0, '/', 'localhost');

But when i try to add new session vars, i think the preventHijacking() function is is getting called for some reason and it wipes out the session and creates a new one.

 

Any ideas how I can get this to work?

 

Here is the link http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions

 

And here is the complete code

class SessionManager{
static function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null)
{
// Set the cookie name
session_name($name . '_Session');


// Set SSL level
$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);


// Set session cookie options
session_set_cookie_params($limit, $path, $domain, $https, true);
session_start();


// Make sure the session hasn't expired, and destroy it if it has
if(self::validateSession())
{
// Check to see if the session is new or a hijacking attempt
if(!self::preventHijacking())
{
// Reset session data and regenerate id
$_SESSION = array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
self::regenerateSession();


// Give a 5% chance of the session id changing on any request
}
elseif(rand(1, 100) <= 5)
{
self::regenerateSession();
}
}
else
{
$_SESSION = array();
session_destroy();
session_start();
}
}


static protected function preventHijacking()
{
if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
return false;


if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
return false;


if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
return false;


return true;
}


static function regenerateSession()
{
// If this session is obsolete it means there already is a new id
if(isset($_SESSION['OBSOLETE']))
return;


// Set current session to expire in 10 seconds
$_SESSION['OBSOLETE'] = true;
$_SESSION['EXPIRES'] = time() + 10;


// Create new session without destroying the old one
session_regenerate_id(false);


// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();


// Set session ID to the new one, and start it back up again
session_id($newSession);
session_start();


// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
}


static protected function validateSession()
{
if( isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
return false;


if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
return false;


return true;
}
}

Edited October 24, 2014 by AdRock

[Jacques1]

Simply don't use this class. It's poor and hasn't been updated for 5(!) years.

 

A lot of the features are naive and will introduce bugs and usability issues rather than actually increase security. For example, it's complete nonsense to bind the session to one IP address. It's perfectly legitimate for a user to have multiple IP addresses and change them regularly, and at the same time a single IP address may be shared by hundreds or even thousands of users. If your application cannot deal with that, you have a problem.

 

What you should do is learn about the various session-related threats and then write your own code.