How do you use 'Classes' in your code?

[rocky48]

I am trying to get to grips with secure sessions on a login page I am writting.

Doing some research on Google I found an article called 'How to Create Bulletproof Sessions.

The first thing the article was to write a class called SessionManager, which I called SessionManage.php

I include this file like so: 'include('includes/SessionManage.php');'

The class file:

class SessionManager
{
   static function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null)
   {
      // Set the cookie name before we start.
      session_name($name . '_Session');
      // Set the domain to default to the current domain.
      $domain = isset($domain) ? $domain : isset($_SERVER['SERVER_NAME']);
      // Set the default secure value to whether the site is being accessed with SSL
      $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
      // Set the cookie settings and start the session
      session_set_cookie_params($limit, $path, $domain, $secure, true);
      session_start();
   }
}

The article says to use this in your code you type one of the following:

 

SessionManage::sessionStart('InstallationName');
SessionManage::sessionStart('Blog_myBlog', 0, '/myBlog/', 'www.site.com');
SessionManage::sessionStart('Accounts_Bank', 0, '/', 'accounts.bank.com', true);

I just used login as the installation name.

When I now run the code I get the following Fatal Error:

 

Fatal error: Uncaught Error: Class 'SessionManager' not found in D:\wamp\www\MFC1066\login.php on line 4

Error: Class 'SessionManager' not found in D:\wamp\www\MFC1066\login.php on line 4

Above the error information the complete code for the class file is printed.

I am obviously have not got the syntax correct, but searching the internet has not helped.

Can anybody point out where I am going wrong?

[cyberRobot]

How are you calling the class?

 

Note that the class is named "SessionManager". And the lines of code you showed from the article are calling a static class named "SessionManage".

[rocky48]

I did wonder about that, so I tried it with the 'r' on the end.

Still gave an error!

 

Fatal error: Uncaught Error: Class 'SessionManager' not found in

Error: Class 'SessionManage' not found in D:\wamp\www\MFC1066\login.php on line 4

I assumed that it should have been SessionManager, as that was the name that was declared as the class.

 

These are the lines in login that call the class file:

include('includes/SessionManage.php');
SessionManager::sessionStart('login');

Edited November 22, 2016 by rocky48

[NotionCommotion]

Are you sure you are really including include/SessionManage.php')?  Prove it to yourself, and add at the very top exit('testing');

[rocky48]

I feel a right twit!

Such a basic mistake.

 

I didn't put the php tags around the class file.

The fact that the contents of the class file where printed out above the error should have made realise that it was not being parsed.

[Jacques1]

I'm not sure if those “bulletproof sessions” are worth the trouble. The class misses fundamental aspects of secure sessions, performs a lot of questionable checks and has some features that are downright user-hostile.

• The author mentions the risk of an attacker guessing the ID, but for some reason he doesn't manage to actually fix that with strong randomness.
• Session fixation is also mentioned, but again a crucial feature to prevent this (cookie-only sessions) just doesn't exist in the code.
• It's sufficient to regenerate the session ID right after the log-in, yet large parts of the text and code deal with changing the ID on random requests and the problems that arise from that. This could be made a lot simpler.
• Binding the session to an IP address and user agent may be well-meant, but it's extremely annoying for users who change those often (e. g. due to tools like Tor). You just cannot assume that everybody uses the Internet in the same way you do.
• Nothing about secure log-outs. No code, no explaination.

Like many times, you'll probably get a lot more security through proper configuration rather than installing some third-party class. And maybe one day the PHP core developers will manage to design a session system that is secure by default and doesn't require us to write entire tutorials on fixing the current one.