I would also be interested in seeing the code as well. If you could also e-mail it to me, I would be very appreciative.
Ben -----Original Message----- From: Jason Sheets [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 4:56 PM To: Wouter van Vliet Cc: PHP General Subject: Re: [PHP] Session stealing, .. I wrote a custom session handler that encrypts the session before it is stored in /tmp that way even if someone has access to the session files they are useless. It stores the randomly generated encryption key on the user's client base64_encoded, which can be intercepted as well all know but it still increases the difficulty of reading the /session files now they must have access AND sniff the encryption key. Additionally for the more secure sites I require the user access the site through SSL so the cookie is not passed in plain text. If you are interested I'll see if I can send it to you, it uses my Crypt Class (PHP class simplifying Mcrypt usage). Jason Wouter van Vliet wrote: >Hi All, > >There's always been a lot of discussion about how safe sessions are. I'd >like to store a complete user object (instance of a class) in a session with >the best security measures possible. Who doesn't. > >Now, to prevent that the session file from the server gets stolen by some >other user of the virtual host I did this to my object: > > 87 # Called upon serialization of the object. It stored the IP >address and serialization time. > 88 function __sleep() { > 89 $this->Night = Array('Time' => time(), 'IP' => >$_SERVER['REMOTE_ADDR']); > 90 return Array('Data', 'Night'); > 91 } > 92 > 93 # When deserialized we are called and need to check if the >stored IP address equals the client's > 94 function __wakeup() { > 95 global $Log; > 96 if ($_SERVER['REMOTE_ADDR'] != $this->Night['IP']) { > 97 $Log->Warning('IP Address changed during >sleep and wakeup, will clear userdata'); > 98 $this->Data = Array(); > 99 }; > 100 } > >Upon sleep it stores the IP and time in the session data, and when it smells >coffee my object wakes up, checks if he's still being used on the same host >and if not the userdata is plainly cleared. > >This all probably takes care about the problem with session id's in the >query string, which is known as referrer to the next website our visitor >visits. What I'm worrying and wondering about now are other users of the >server my site's at. They can most likely go into the /tmp folder and just >read my session files. Not Nice. I know it has been discussed for quite some >times now .. but never really found anything else than warnings for stuff, >no real solutions. > >So, get your idea's rolling and let the good things flow... > >Wouter > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
