By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,985 Members | 1,861 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,985 IT Pros & Developers. It's quick & easy.

PHP: Securing from Session Hijacking

P: 6
Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug
May 18 '07 #1
Share this Question
Share on Google+
5 Replies


P: 48
Hope this gives you some ideas...

I've done something similar but used two session ids created by PHP (letting PHP deal with the uniqueness of both) and stored both in the database.

One was encrypted and used as a client side cookie and the other left plain and used as the server session file but never sent client side.

Regards.
May 18 '07 #2

Motoma
Expert 2.5K+
P: 3,235
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.

Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug
May 18 '07 #3

P: 6
rug
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!
True, I didn't think about that. Anyway I heard that AOL does something like this.

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.
This is what I needed, on the right track now, thanks Motoma! :)
May 18 '07 #4

pbmods
Expert 5K+
P: 5,821
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
May 18 '07 #5

P: 6
rug
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
I did consider this possibility but then I opted to go with a Heap table, for learning purposes. Hey, it's fun ok. :)
May 19 '07 #6

Post your reply

Sign in to post your reply or Sign up for a free account.