want to create a session class

Hi,

I'm not sure what you are trying to do will work, as surely if a user does
edit the GET string by selecting "Copy Shortcut" and pasting it into the
address bar then these incorrect values will be sent to the page and be
hashed incorrectly. It would only work if a user clicked on a link then
edited it, but this might also incorrectly catch users that click a link,
then press back and click a different link.

A better way to protect a web application from user hacking is to, at every
possible opportunity, test user data to make sure that they are allowed to
edit certain records eg. as soon as you get the id=55 check whether that
user has permission to access record no.55, and if not abort the page.

Also another very important thing to guard against is SQL injection bugs in
your code.

As for checking whether post/get data isn't hijacked there's no way to know
for sure as a hacker will probably have the ability to do that
transparently, the best you can do is use an SSL server but that wont
protect the system from users with virii/trojans installed on their
machine.
Oh by the way the user shouldn't be able to access any variables in
$_SESSION unless your code prints them to the screen

Regards,
Andrew Crowe

"Golf Nut" <tr*************************@yahoo.com> wrote in message
news:_L*****************@newsread1.news.pas.earthl ink.net...

hello all!

I would like to create a session class which would transparently handle
sessions as well as serialize, encode and compute an md5 hash of all
$_REQUEST information. This would essentially intercept all $_GET strings
and $_POST data.

I would envision upon session creation (in the session class constructor)
that a random string secret would be created that would be saved to
$_SESSION['secret'] for example. I would take all the $_REQUEST data,
base64_encode() it, then serialize it and perform an md5() on it
contatenated with the secret. The base64_encoded serialized data would be
saved along with the hash in $_SESSION.

I guess I'm having a hard time conceptualizing this, much less explain it. I hope someone can understand what I'm trying to do. Basically, I want to
ensure that any POST and GET data isn't hijacked or tampered with, which
would be verified upon using the passed data by verifying against the hash. Perhaps the secret shouldn't be put in $_SESSION, since a user could
potentially see this? Is there somewhere else I could store this?

I am also doing this to make sure that, if in my code I'm performing simple functions like mysite.com?action=edit&id=55, that someone doesn't
arbitrarily mess with the id or action, since this URL would be rewritten
and/or passed solely using the GET string in the $_SESSION as described
above.

Anyone have any ideas, comments or suggestions as to what I should do?

TIA!

-GN

What you could do is add a hash to any links, eg.

<a href="mysite.com?action=edit&id=55&hash=74F4980E29 38CDF">

This would be a quick way of stopping users editing the id parameter, but
you couldn't use it to validate any user form data

--
Regards,
Andrew Crowe

Andrew,

Thanks for your thoughts and comments!

What you're talking about below is actually what I'm working on. Below is
some sample code from a class I've created:
function pc_encode($data)

{

$secret = $_SESSION["secret"];
$data = base64_encode(serialize($data));

$hash = md5($this->$secret . $data);
return array($data, $hash);

}
function pc_decode($data, $hash)

{

$secret = $_SESSION["secret"];
if (!empty($data) && !empty($hash))

{

if (md5($this->$secret . $data) == $hash)

{

return unserialize(base64_decode($data));

}

else

{

error_log("Valdation Error: data has been modified!!");

return false;

}

}
return false;

}
function MakeGetString($string)

{

list($data,$hash) = $this->pc_encode($string);
$getstring = "d=$data&h=$hash";
return $getstring;

}
function CheckGetString()

{

$data = $_GET['d'];

$hash = $_GET['h'];
if (! $data = $this->pc_decode($data, $hash))

return false;

else

return $data;

}

And now some code that's actually on the php script page (mind you I'm using
Smarty templating). Remember this is a rough rendition before profiling and
cleaning up, so excuse the messy code! :)

$getstringarray = array('m','a','d','s');

$newstringarray = array();

foreach ($getstringarray as $gmode) {

$newstring = $gmode;

$encstring = $insurancequotelib->MakeGetString($newstring);

$newstringarray[$gmode] = $encstring;

}

print_r($newstringarray);

$smarty->assign('getstring',$newstringarray);

Then I use the Smarty template to, in this case, have the following in my
link: <a href=page.php?{$getstring.m}> for example. I'm using a random
string using time(), etc., to create the $secret used in the code above and
save it in $_SESSION["secret"]. I would like to extend this to encapsulate
post data as well, i suppose saving it to hidden form fields using d and h
as above for GET data, the d field containing the serialized data and h the
hash.

Any thoughts about this? Again, TIA!!

GN
"Andrew Crowe" <an************@yahoo.co.uk> wrote in message
news:40**********************@news.easynet.co.uk.. .

What you could do is add a hash to any links, eg.

<a href="mysite.com?action=edit&id=55&hash=74F4980E29 38CDF">

This would be a quick way of stopping users editing the id parameter, but
you couldn't use it to validate any user form data

--
Regards,
Andrew Crowe

"Golf Nut" <tr*************************@yahoo.com> wrote in message
news:_L*****************@newsread1.news.pas.earthl ink.net...

I am also doing this to make sure that, if in my code I'm performing simple functions like mysite.com?action=edit&id=55, that someone doesn't
arbitrarily mess with the id or action, since this URL would be rewritten
and/or passed solely using the GET string in the $_SESSION as described
above.

You don't need to do any of that any secret or validation stuff at all.
Since you're relying on session, just store the variables in the session and
not pass the data through GET. Example:

echo '<a href="/somescript.php?' . SaveGetParam("action=edit&id=55") .
'">Edit</a>';

function SaveGetParam($get) {
$md5 = md5($get);
$_SESSION['SAVED_GET_PARAM'][$md5] = $get;
return "key=$md5";
}

function RestoreGetParam() {
$md5 = $_GET['key'];
$get = $_SESSION['SAVED_GET_PARAM'][$md5];
parse_str($get, $_GET);
}

Chung,

Thanks for the fantastic advice! It works like a charm - I don't know why
this didn't occur to me before!

Now I suppose what I can do is create a marshalling script of sorts that
handles all redirects and I can actually incorporate the actual script to
run within the encoded string, e.g.,
SaveGetParam("script=users.php&action=edit&id=100" ) and then let the
marshall script reference (e..g, redirect.php? . SaveGet.. . .) invoke the
script to execute.

How would you suggest to incoporate this methodology into the subsequent
edit form which would contain post data and subsequently the id of the
current record? Something like <input type=hidden name=id
value="SaveGetParam("id=100")">? The invoked form method would then parse
this value and perform the necessary function, corret?

Thanks again!

Regards,

GN

"Chung Leong" <ch***********@hotmail.com> wrote in message
news:oc********************@comcast.com...

"Golf Nut" <tr*************************@yahoo.com> wrote in message
news:_L*****************@newsread1.news.pas.earthl ink.net...

I am also doing this to make sure that, if in my code I'm performing simple

functions like mysite.com?action=edit&id=55, that someone doesn't
arbitrarily mess with the id or action, since this URL would be rewritten and/or passed solely using the GET string in the $_SESSION as described
above.

You don't need to do any of that any secret or validation stuff at all.
Since you're relying on session, just store the variables in the session

and not pass the data through GET. Example:

echo '<a href="/somescript.php?' . SaveGetParam("action=edit&id=55") .
'">Edit</a>';

function SaveGetParam($get) {
$md5 = md5($get);
$_SESSION['SAVED_GET_PARAM'][$md5] = $get;
return "key=$md5";
}

function RestoreGetParam() {
$md5 = $_GET['key'];
$get = $_SESSION['SAVED_GET_PARAM'][$md5];
parse_str($get, $_GET);
}