AdRock Posted October 24, 2014 Share Posted October 24, 2014 (edited) I have been following an article on creating bullet proof sessions but I'm having problems with session variables i'm creating getting destroyed I call the session_start() like this SessionManager::sessionStart('MySession', 0, '/', 'localhost'); But when i try to add new session vars, i think the preventHijacking() function is is getting called for some reason and it wipes out the session and creates a new one. Any ideas how I can get this to work? Here is the link http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions And here is the complete code class SessionManager{ static function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null) { // Set the cookie name session_name($name . '_Session'); // Set SSL level $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']); // Set session cookie options session_set_cookie_params($limit, $path, $domain, $https, true); session_start(); // Make sure the session hasn't expired, and destroy it if it has if(self::validateSession()) { // Check to see if the session is new or a hijacking attempt if(!self::preventHijacking()) { // Reset session data and regenerate id $_SESSION = array(); $_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR']; $_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT']; self::regenerateSession(); // Give a 5% chance of the session id changing on any request } elseif(rand(1, 100) <= 5) { self::regenerateSession(); } } else { $_SESSION = array(); session_destroy(); session_start(); } } static protected function preventHijacking() { if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent'])) return false; if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) return false; if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) return false; return true; } static function regenerateSession() { // If this session is obsolete it means there already is a new id if(isset($_SESSION['OBSOLETE'])) return; // Set current session to expire in 10 seconds $_SESSION['OBSOLETE'] = true; $_SESSION['EXPIRES'] = time() + 10; // Create new session without destroying the old one session_regenerate_id(false); // Grab current session ID and close both sessions to allow other scripts to use them $newSession = session_id(); session_write_close(); // Set session ID to the new one, and start it back up again session_id($newSession); session_start(); // Now we unset the obsolete and expiration values for the session we want to keep unset($_SESSION['OBSOLETE']); unset($_SESSION['EXPIRES']); } static protected function validateSession() { if( isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) ) return false; if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time()) return false; return true; } } Edited October 24, 2014 by AdRock Quote Link to comment https://forums.phpfreaks.com/topic/292032-bullet-proof-sessions-not-working/ Share on other sites More sharing options...
Jacques1 Posted October 24, 2014 Share Posted October 24, 2014 Simply don't use this class. It's poor and hasn't been updated for 5(!) years. A lot of the features are naive and will introduce bugs and usability issues rather than actually increase security. For example, it's complete nonsense to bind the session to one IP address. It's perfectly legitimate for a user to have multiple IP addresses and change them regularly, and at the same time a single IP address may be shared by hundreds or even thousands of users. If your application cannot deal with that, you have a problem. What you should do is learn about the various session-related threats and then write your own code. 1 Quote Link to comment https://forums.phpfreaks.com/topic/292032-bullet-proof-sessions-not-working/#findComment-1494599 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.