PHP: Securing from Session Hijacking

rug

Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug

May 18 '07 #1

merseyside

Hope this gives you some ideas...

I've done something similar but used two session ids created by PHP (letting PHP deal with the uniqueness of both) and stored both in the database.

One was encrypted and used as a client side cookie and the other left plain and used as the server session file but never sent client side.

Regards.

May 18 '07 #2

Motoma

The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.

Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug

May 18 '07 #3

rug

The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!

True, I didn't think about that. Anyway I heard that AOL does something like this.

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.

This is what I needed, on the right track now, thanks Motoma! :)

May 18 '07 #4

pbmods

Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).

May 18 '07 #5

rug

Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).

I did consider this possibility but then I opted to go with a Heap table, for learning purposes. Hey, it's fun ok. :)

May 19 '07 #6