470,819 Members | 1,572 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

home > topics > php > questions > php: securing from session hijacking

Post your question to a community of 470,819 developers. It's quick & easy.

PHP: Securing from Session Hijacking

6
Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug
May 18 '07 #1
5 2275
Hope this gives you some ideas...

I've done something similar but used two session ids created by PHP (letting PHP deal with the uniqueness of both) and stored both in the database.

One was encrypted and used as a client side cookie and the other left plain and used as the server session file but never sent client side.

Regards.
May 18 '07 #2
Motoma
3,237 Expert 2GB
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.

Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug
May 18 '07 #3
rug
6
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!
True, I didn't think about that. Anyway I heard that AOL does something like this.

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.
This is what I needed, on the right track now, thanks Motoma! :)
May 18 '07 #4
pbmods
5,821 Expert 4TB
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
May 18 '07 #5
rug
6
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
I did consider this possibility but then I opted to go with a Heap table, for learning purposes. Hey, it's fun ok. :)
May 19 '07 #6

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

PHP
Top Ten PHP Security Issues, a preliminary list
12 posts views Thread by Chung Leong | last post: by
PHP
Reality Check: Session Hijacking
27 posts views Thread by mrbog | last post: by
PHP
Securing PHP Code that Creates Images
11 posts views Thread by Steve | last post: by
PHP
PHP, OpenSSL Session Key?
1 post views Thread by jmkovacs | last post: by
PHP
Is session enough secure?
1 post views Thread by opt_inf_env | last post: by
PHP
php session without cookie useage
7 posts views Thread by ehendrikd | last post: by
Session ID management
2 posts views Thread by =?Utf-8?B?YW5vb3A=?= | last post: by
PHP
know when user tries to access php file
4 posts views Thread by Daniel | last post: by
BYTES.COM © 2022
About Us
Advertise
Terms Of Use
Privacy Policy
Manage Cookies
Contact Us
Sitemap

Follow us! Get the Latest Bytes Updates
By using this site, you agree to our Privacy Policy and Terms of Use.