Jump to content

Recommended Posts

I have been following an article on creating bullet proof sessions but I'm having problems with session variables i'm creating getting destroyed

 

I call the session_start() like this

SessionManager::sessionStart('MySession', 0, '/', 'localhost');

But when i try to add new session vars, i think the preventHijacking() function is is getting called for some reason and it wipes out the session and creates a new one.

 

Any ideas how I can get this to work?

 

Here is the link http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions

 

And here is the complete code

class SessionManager{
static function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null)
{
// Set the cookie name
session_name($name . '_Session');


// Set SSL level
$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);


// Set session cookie options
session_set_cookie_params($limit, $path, $domain, $https, true);
session_start();


// Make sure the session hasn't expired, and destroy it if it has
if(self::validateSession())
{
// Check to see if the session is new or a hijacking attempt
if(!self::preventHijacking())
{
// Reset session data and regenerate id
$_SESSION = array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
self::regenerateSession();


// Give a 5% chance of the session id changing on any request
}
elseif(rand(1, 100) <= 5)
{
self::regenerateSession();
}
}
else
{
$_SESSION = array();
session_destroy();
session_start();
}
}


static protected function preventHijacking()
{
if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
return false;


if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
return false;


if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
return false;


return true;
}


static function regenerateSession()
{
// If this session is obsolete it means there already is a new id
if(isset($_SESSION['OBSOLETE']))
return;


// Set current session to expire in 10 seconds
$_SESSION['OBSOLETE'] = true;
$_SESSION['EXPIRES'] = time() + 10;


// Create new session without destroying the old one
session_regenerate_id(false);


// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();


// Set session ID to the new one, and start it back up again
session_id($newSession);
session_start();


// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
}


static protected function validateSession()
{
if( isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
return false;


if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
return false;


return true;
}
}
Edited by AdRock
Link to comment
https://forums.phpfreaks.com/topic/292032-bullet-proof-sessions-not-working/
Share on other sites

Simply don't use this class. It's poor and hasn't been updated for 5(!) years.

 

A lot of the features are naive and will introduce bugs and usability issues rather than actually increase security. For example, it's complete nonsense to bind the session to one IP address. It's perfectly legitimate for a user to have multiple IP addresses and change them regularly, and at the same time a single IP address may be shared by hundreds or even thousands of users. If your application cannot deal with that, you have a problem.

 

What you should do is learn about the various session-related threats and then write your own code. 

  • Like 1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.