hello all!
I would like to create a session class which would transparently handle
sessions as well as serialize, encode and compute an md5 hash of all
$_REQUEST information. This would essentially intercept all $_GET strings
and $_POST data.
I would envision upon session creation (in the session class constructor)
that a random string secret would be created that would be saved to
$_SESSION['secret'] for example. I would take all the $_REQUEST data,
base64_encode() it, then serialize it and perform an md5() on it
contatenated with the secret. The base64_encoded serialized data would be
saved along with the hash in $_SESSION.
I guess I'm having a hard time conceptualizing this, much less explain it. I
hope someone can understand what I'm trying to do. Basically, I want to
ensure that any POST and GET data isn't hijacked or tampered with, which
would be verified upon using the passed data by verifying against the hash.
Perhaps the secret shouldn't be put in $_SESSION, since a user could
potentially see this? Is there somewhere else I could store this?
I am also doing this to make sure that, if in my code I'm performing simple
functions like mysite.com?action=edit&id=55, that someone doesn't
arbitrarily mess with the id or action, since this URL would be rewritten
and/or passed solely using the GET string in the $_SESSION as described
above.
Anyone have any ideas, comments or suggestions as to what I should do?
TIA!
-GN