Originally posted by bens1901:
I recently received this message "Your script possibly relies on a session side-effect which existed until PHP 4.2.3. ...
This is an example of what I've been using (where 'SESSION_NAME' and 'SESSION_TIME_LIMIT' are constants I've defined elsewhere):
[php]
session_name(SESSION_NAME);
session_start();
$user = $_SESSION['user'];
$order = $_SESSION['order'];
...blah...
..blah...
$_SESSION['user'] = $user;
$_SESSION['order'] = $order
[/php]
You have to register your variables inside the $_SESSION superglobal before the end of your scripts, otherwise they won't stick.
I have also supplemented session security by doing the following whenever a new session is authorised (via password lookup):
[php]
$session_key = microtime().$login['username'];
$expiration_time = time() + SESSION_TIME_LIMIT;
$passhash = md5($password.PRIVATE_KEY);
$hash = md5($session_key.$expiration_time.PRIVATE_KEY.$pas shash);
setcookie("authSID",$session_key,$expiration_time, "/","",0);
setcookie("authEXP",$expiration_time,$expiration_t ime,"/","",0);
setcookie("authHID",$hash,$expiration_time,"/","",0);
setcookie("authPID",$passhash,$expiration_time,"/","",0);
[/php]
In this example, 'PRIVATE_KEY' is set to an md5 of a secret phrase. This essentially ensures that none of your session variables can be hijacked by someone tampering with browser cookies. The code to validate your current session against the 'correct' variables is:
[php]
function authenticate()
{
return ((INT) $_COOKIE['authHID'] == md5($_COOKIE['authSID'].$_COOKIE['authEXP'].PRIVATE_KEY.$_COOKIE['authPID']) && time() < $_COOKIE['authEXP']);
}
[/php]
...where the authenticate() will return false if the combined hashes of your cookies do not match against your Hash cookie... (no double-meaning intended).
Is this the sort of thing you're after?
Top
