Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

secondary secure token + user agent verification

How i can use secondary secure token and user agent verification to prevent session hijacking:

can you explain this in steps by code to achieve that
i wanna create them when i check user name and password is correct.
when user go to other page how i can check tokens and user agent ????

How i can destroy session when user close browser??

thanks
0
ang3lus
Asked:
ang3lus
  • 4
  • 2
  • 2
1 Solution
 
ang3lusAuthor Commented:
to illustrate my point,
i create login page and check login page and two user accounts

in check login page i check user name and password
if username1 and password1 is correct go to page1
{
 

}

if username2 and password2 is correct go to page 2
{

}

inside if brackets how  i can create secure token and user agent then verify them in redirect page: page1 and page2 to make sure session is not hijacked
if token or user agent are not identical redirect to log in page


thanks in advanced
0
 
Jagadishwor DulalBraces MediaCommented:
The best one solution is HTTPS and You can check user IP.
Use session_destroy() function to destroy session. You cant destroy a session when the browser closes. It requires a server side command to do close a session. Theoretically, you could have javascript make an ajax call to a script when the browser closes.

A simple Code to check Session:

<?php
session_start();
if (!isset($_SESSION['db_is_logged_in'])|| $_SESSION['db_is_logged_in'] !== true ||$_SESSION['userid']=="" || $_SESSION['usertype']=="") {
session_unset();
   header('Location: login.php');
   exit;
}
?>

Open in new window


0
 
Jagadishwor DulalBraces MediaCommented:
You can read more about session hijack here:
http://phpsec.org/projects/guide/4.html
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Ray PaseurCommented:
0
 
Ray PaseurCommented:
Sessions are carried from page to page (almost always) by cookies.  The session handler gets the cookie and uses it as a pointer to the sessions files, where it finds the old session array, copies it into storage and presents it to the PHP script in the superglobal variable named $_SESSION.  Since you control the contents of $_SESSION there are a number of things you might do to "harden" it a little bit.  One example that I love is to use another cookie, besides the session cookie, to indicate that the client is logged in.  You can make a fairly secure cookie this way (see code snippet).  Test that cookie and if it is OK, your session is probably OK, too.

HTH, ~Ray
<?php // RAY_cookie_safety.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE
// TO REDUCE THE RISK OF COOKIE TAMPERING


// A DATA DELIMITER
$dlm = '|';

// YOUR OWN SECRET CODE
$secret_code = 'MY SECRET';

// A DATA STRING THAT WE WANT TO STORE
$cookie_value = 'MARY HAD A LITTLE LAMB';

// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET
$cookie_code = md5($cookie_value . $secret_code);

// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING
$safe_cookie_value = $cookie_value . $dlm . $cookie_code;

// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"
setcookie('safe_cookie', $safe_cookie_value);



// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK LIKE THIS ON THE BROWSER
// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181
// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP



// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}
else
{
    die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');
}




// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE
$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);

// HOW TO TEST THE COOKIE
if (isset($_COOKIE["safe_cookie"]))
{
    // BREAK THE COOKIE VALUE APART AT THE DELIMITER
    $array = explode($dlm, $_COOKIE["safe_cookie"]);

    // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET
    $cookie_test = md5($array[0] . $secret_code);

    // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT
    if ($cookie_test == $array[1])
    {
        echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT";
    }
    else
    {
        echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT";
    }
}

Open in new window

0
 
Ray PaseurCommented:
Looking at this a little more, and following some of Chris Shiflett's guidance on PHPSEC, here is an implementation of a session fingerprint that will tell you if the browser changed from one request to the next (not likely) and if the client's IP address changed from one request to the next (not likely, but possible for clients using dial-up modems).
<?php // RAY_session_fingerprint.php
error_reporting(E_ALL);


// DEMONSTRATE SOME TECHNIQUES THAT MAKE SESSION TAMPERING LESS LIKELY
// CREATE A SESSION FINGERPRINT THAT BECOMES PART OF THE SESSION DATA
// THE FINGERPRINT CARRIES INFORMATION ABOUT THE PREVIOUS ACCESSES,
// INCLUDING THE CLIENT BROWSER AND CLIENT URL.  FOR MORE, SEE:
// http://phpsec.org/projects/guide/4.html
// IF THE FINGERPRINT IS BOGUS, ASK FOR THE CLIENT PASSWORD BEFORE PROCEEDING


// A FUNCTION TO RECOVER THE SESSION FINGERPRINT
function get_session_fingerprint($xfactor='MY SECRET CODE')
{
    // GET THE BROWSER IDENTITY AND THE CLIENT URL
    $host = isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"]   : NULL;
    $uri  = isset($_SERVER["REMOTE_ADDR"])     ? $_SERVER["REMOTE_ADDR"]       : NULL;

    // ENCODE THESE VALUES ALONG WITH OUR X-FACTOR
    $code = md5($host . $uri . $xfactor);

    // IS THERE A MATCH?
    if (isset($_SESSION["fingerprint"]))
    {
        if ($_SESSION["fingerprint"] == $code) return $code;
    }
    return FALSE;
}

// A FUNCTION TO SET THE SESSION FINGERPRINT
function set_session_fingerprint($xfactor='MY SECRET CODE')
{
    // GET THE BROWSER IDENTITY AND THE CLIENT URL
    $host = isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"]   : NULL;
    $uri  = isset($_SERVER["REMOTE_ADDR"])     ? $_SERVER["REMOTE_ADDR"]       : NULL;

    // ENCODE THESE VALUES ALONG WITH OUR X-FACTOR AND STORE THE RESULT IN THE SESSION
    $code = md5($host . $uri . $xfactor);
    $_SESSION["fingerprint"] = $code;
    return $code;
}


// DEMONSTRATE THE USE OF THESE FUNCTIONS
session_start();

// IF THE SESSION IS NEW, THERE IS NO FINGERPRINT YET
if (!isset($_SESSION['fingerprint']))
{
    // MAN PAGE: http://php.net/manual/en/function.session-regenerate-id.php
    session_regenerate_id();
    $code = set_session_fingerprint();
    echo "<br/>THE SESSION WAS NEW.  THE FINGERPRINT HAS BEEN SET TO $code";
}

// IF THE SESSION IS OLD, EXAMINE THE FINGERPRINT
else
{
    $code = get_session_fingerprint();
    if ($code)
    {
        echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS VALID: $code";
    }
    else
    {
        echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS BOGUS.";
    }
}


// DEMONSTRATE HOW TO TEST THIS WITH A VERBOSE EXAMPLE
if ($code = get_session_fingerprint())
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS VALID: $code";
}
else
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS BOGUS.";
}


// NOW MAKE IT LOOK LIKE THE CLIENT BROWSER CHANGED FROM ONE REQUEST TO THE NEXT (NOT LIKELY)
$_SERVER['HTTP_USER_AGENT'] = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; *BOGUS DATA STRING*)';


// DEMONSTRATE HOW TO TEST THIS WITH A VERBOSE EXAMPLE
if ($code = get_session_fingerprint())
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS VALID: $code";
}
else
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS BOGUS.";
}

Open in new window

0
 
ang3lusAuthor Commented:
Thanks very much A+++++
0
 
Ray PaseurCommented:
Thanks for the points - it's a great question! ~Ray
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now