Secure Session Control


This tutorial will answer three questions:

1. What is a Session?
2. When should I use Sessions?
3. How can I maintain a Secure Session?


What is a Session?

I like to think of a session as an instant database or folder that is created on a server for you to store values in (such as items added to a shopping cart). In PHP you can create a session by simply calling the function session_start(). You must call this function before any output is displayed to the browser so it is a good idea to include your session control at the top of every page.



When a session is created it is given a randomly generated identifier. This identifier, which is stored in the form of a cookie on the users machine, talks to the server to add, update, & delete values stored in the session. If a user has cookies disabled session variables can not be stored. The identifier (cookie) does not exist and can not be associated with a session id created on the server. There are complex ways around this road block by passing the session id through the URL, but for this basic tutorial we will not discuss those methods.



Once the web server has created a cookie on the visitor’s computer, the server can associate the visitor’s computer with their unique database. To store data in this database you create special session variables:





From now on when you call $_SESSION['new_variable'] it will have the text "Hello World!" stored in it. You can delete this session variable by using the unset() function. Once you unset($_SESSION['new_variable']) it will no longer exist as part of your session and the variable will be deleted in the database.

Another important aspect about sessions is how to destroy them. When you destroy a session it cuts off communication from your computer and the unique database. You will no longer have access to any of the session variables until session_start() is called again. You can destroy a session by using the session_destroy() function.
NOTE: This does not destroy session variables! They can only be destroyed using the unset() function.


When Should I Use Sessions?

Anytime you want to store a value that will need to be accessed at some later point in time, you should store it in a session. If you are building a web store, you should save your item information using session variables. This is one of the easiest applications of using sessions:




How can I keep Sessions secure?

So how can you apply this information to make a session secure? Well you need to think about three things that are going to be unique when a session is created.

1. The exact time the session is created in hours,minutes,seconds: date('ymdHis')
2. The browser the visitor is using: $_SERVER['HTTP_USER_AGENT']
3. The ip address of the visitor: $_SERVER['REMOTE_ADDR']

Now that we have these three values what can we do with them? MD5 hash them into one value that is unique to the visitor. This will give the current visitor and id that uniquely identifies and validates their session.

Are we finished? NOOO! We are still not secured from session hijacking. A cookie monster might come along and steal your cookie and try to pass as your id to hijack your session. This code will do a pretty good job of protecting you from getting hijacked. There is still a chance that the person trying to hijack your session has the exact IP & Browser as you. Since I do not know enough javascript, I can not write the code to grab the local ip of the user, but if I could the session would be just about unhijackable (if that was a word).



After you familiarize yourself with sessions and how to completely secure them, you can create your first log in function.



I would recommend including one more function in your session controller. For those of you who like to use <BASE href="http://www.syntaxmaster.info/"> for easy navigation I created a function in PHP to do the same thing. I think it makes path navigation easier. Anytime you need to navigate to an include file or folder you will begin from the home directory.



This is the end of your session control tutorial.


A very good thanks to my coding friend SyntaxMaster
URL: http://www.syntaxmaster.info/scripts/secur...ion_control.php (Registration Required)



Additional Informational Guide

Cookie hijack or XSRF/CSRF attack (Contributed by. thehobo).

More details here: http://www.codinghorror.com/blog/archives/001175.html

This post has been edited by لادن: Oct 31 2008, 02:42 PM