Re: [PHP] Session stealing, ..

[Jason Sheets]

I wrote a custom session handler that encrypts the session before it is 
stored in /tmp that way even if someone has access to the session files 
they are useless.

It stores the randomly generated encryption key on the user's client 
base64_encoded, which can be intercepted as well all know but it still 
increases the difficulty of reading the /session files now they must 
have access AND sniff the encryption key.  Additionally for the more 
secure sites I require the user access the site through SSL so the 
cookie is not passed in plain text.

If you are interested I'll see if I can send it to you, it uses my Crypt 
Class (PHP class simplifying Mcrypt usage).

Jason

Wouter van Vliet wrote:

Hi All,

There's always been a lot of discussion about how safe sessions are. I'd
like to store a complete user object (instance of a class) in a session with
the best security measures possible. Who doesn't.
Now, to prevent that the session file from the server gets stolen by some
other user of the virtual host I did this to my object:
    87         # Called upon serialization of the object. It stored the IP
address and serialization time.
    88         function __sleep() {
    89                 $this->Night = Array('Time' => time(), 'IP' =>
$_SERVER['REMOTE_ADDR']);
    90                 return Array('Data', 'Night');
    91         }
    92
    93         # When deserialized we are called and need to check if the
stored IP address equals the client's
    94         function __wakeup() {
    95                 global $Log;
    96                 if ($_SERVER['REMOTE_ADDR'] != $this->Night['IP']) {
    97                         $Log->Warning('IP Address changed during
sleep and wakeup, will clear userdata');
    98                         $this->Data = Array();
    99                 };
   100         }
Upon sleep it stores the IP and time in the session data, and when it smells
coffee my object wakes up, checks if he's still being used on the same host
and if not the userdata is plainly cleared.
This all probably takes care about the problem with session id's in the
query string, which is known as referrer to the next website our visitor
visits. What I'm worrying and wondering about now are other users of the
server my site's at. They can most likely go into the /tmp folder and just
read my session files. Not Nice. I know it has been discussed for quite some
times now .. but never really found anything else than warnings for stuff,
no real solutions.
So, get your idea's rolling and let the good things flow...

Wouter

 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php