470,819 Members | 1,572 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,819 developers. It's quick & easy.

PHP: Securing from Session Hijacking

6
Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug
May 18 '07 #1
5 2275
Hope this gives you some ideas...

I've done something similar but used two session ids created by PHP (letting PHP deal with the uniqueness of both) and stored both in the database.

One was encrypted and used as a client side cookie and the other left plain and used as the server session file but never sent client side.

Regards.
May 18 '07 #2
Motoma
3,237 Expert 2GB
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.

Hello,

I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.

I've got no clue how to use a table for session management.

I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time

I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?

Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.

What other methods are there or have I totally gotten the session management using a DB concept wrong?

Any suggestions/tips well appreciated.

Thanks,
rug
May 18 '07 #3
rug
6
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!
True, I didn't think about that. Anyway I heard that AOL does something like this.

You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.
This is what I needed, on the right track now, thanks Motoma! :)
May 18 '07 #4
pbmods
5,821 Expert 4TB
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
May 18 '07 #5
rug
6
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
I did consider this possibility but then I opted to go with a Heap table, for learning purposes. Hey, it's fun ok. :)
May 19 '07 #6

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

12 posts views Thread by Chung Leong | last post: by
27 posts views Thread by mrbog | last post: by
11 posts views Thread by Steve | last post: by
1 post views Thread by jmkovacs | last post: by
1 post views Thread by opt_inf_env | last post: by
7 posts views Thread by ehendrikd | last post: by
2 posts views Thread by =?Utf-8?B?YW5vb3A=?= | last post: by
4 posts views Thread by Daniel | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.