What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » PHP security concerns

PHP security concerns
Author: Message:
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
O.P. Huh?  PHP security concerns
Well, I'm develloping a class in PHP to handle sessions on a framework level (so I can use it in several applications), but is currently focused on Chameleon.*

Well, I tried to avoid the use of session files, since this may be a fast solution but aren't always reliable (memory quota, void session handling, session hijacking).
What I do is generate a session ID with session_start, fill the session file with a boolean (to avoid the void session automatic destruction, but keeping the file as sleek as possible) and store all data to the database. With several features I can allow custom session timeouts, session suspension (to recover your session in the next login), etc. The problem is that authentication of session owner is somewhat tricky.

To start a session, people are supposed to log in. Once they do the session is saved to the database, ie it becomes a persistent session. Using the session ID I link the user to that single stored session. But the SIDs can easily be hijacked, either by URL appending or by cookie faking.

This brings me to the question about more relyable checks to verify that the user who is identifying itself with a certain SID, really is the user the SID was generated for. But... How to handle proxy IPs? how to get a unique value from a client?

I know there is no perfect way to protect users from sniffing and hacking into their accounts, but what would be the most reliable methods to make it hard to hackers and keep it simple in the code? (this means do not require me to install  and use SSL libs, because it would really be overkill in certain circumstances, imo).

Would someone know how to make it the best way possible? :)
Actually post your thoughts, even if they're not proved to be bulletproof ;)

__
* Some more free advertising :gfdrin:

This post was edited on 05-21-2005 at 03:33 PM by KeyStorm.
05-21-2005 03:33 PM
Profile E-Mail PM Web Find Quote Report
-dt-
Scripting Contest Winner
*****

Avatar
;o

Posts: 1819
Reputation: 74
36 / Male / Flag
Joined: Mar 2004
RE: PHP security concerns
quote:
Originally posted by KeyStorm

This brings me to the question about more relyable checks to verify that the user who is identifying itself with a certain SID, really is the user the SID was generated for. But... How to handle proxy IPs? how to get a unique value from a client?


hash the user agent + Ip + random number you store in a cookie
that should give you a pretty unique string , the cookie is for added protection and so if two users are on the same proxy and using the same browser you can tell them apart.

edit:
If im not even talking about the right thing ignore this its pretty late at night and im going to bed , ill read it again in the morning

This post was edited on 05-21-2005 at 04:41 PM by -dt-.
[Image: dt2.0v2.png]      Happy Birthday, WDZ
05-21-2005 04:36 PM
Profile PM Web Find Quote Report
segosa
Community's Choice
*****


Posts: 1407
Reputation: 92
Joined: Feb 2003
RE: PHP security concerns
I'll tell optimism_ about this thread, he had a very advanced way of doing this...
The previous sentence is false. The following sentence is true.
05-21-2005 08:09 PM
Profile PM Find Quote Report
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On