Link to home
Start Free TrialLog in
Avatar of ang3lus
ang3lus

asked on

secondary secure token + user agent verification

How i can use secondary secure token and user agent verification to prevent session hijacking:

can you explain this in steps by code to achieve that
i wanna create them when i check user name and password is correct.
when user go to other page how i can check tokens and user agent ????

How i can destroy session when user close browser??

thanks
Avatar of ang3lus
ang3lus

ASKER

to illustrate my point,
i create login page and check login page and two user accounts

in check login page i check user name and password
if username1 and password1 is correct go to page1
{
 

}

if username2 and password2 is correct go to page 2
{

}

inside if brackets how  i can create secure token and user agent then verify them in redirect page: page1 and page2 to make sure session is not hijacked
if token or user agent are not identical redirect to log in page


thanks in advanced
Avatar of Jagadishwor Dulal
The best one solution is HTTPS and You can check user IP.
Use session_destroy() function to destroy session. You cant destroy a session when the browser closes. It requires a server side command to do close a session. Theoretically, you could have javascript make an ajax call to a script when the browser closes.

A simple Code to check Session:

<?php
session_start();
if (!isset($_SESSION['db_is_logged_in'])|| $_SESSION['db_is_logged_in'] !== true ||$_SESSION['userid']=="" || $_SESSION['usertype']=="") {
session_unset();
   header('Location: login.php');
   exit;
}
?>

Open in new window


You can read more about session hijack here:
http://phpsec.org/projects/guide/4.html
ASKER CERTIFIED SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Looking at this a little more, and following some of Chris Shiflett's guidance on PHPSEC, here is an implementation of a session fingerprint that will tell you if the browser changed from one request to the next (not likely) and if the client's IP address changed from one request to the next (not likely, but possible for clients using dial-up modems).
<?php // RAY_session_fingerprint.php
error_reporting(E_ALL);


// DEMONSTRATE SOME TECHNIQUES THAT MAKE SESSION TAMPERING LESS LIKELY
// CREATE A SESSION FINGERPRINT THAT BECOMES PART OF THE SESSION DATA
// THE FINGERPRINT CARRIES INFORMATION ABOUT THE PREVIOUS ACCESSES,
// INCLUDING THE CLIENT BROWSER AND CLIENT URL.  FOR MORE, SEE:
// http://phpsec.org/projects/guide/4.html
// IF THE FINGERPRINT IS BOGUS, ASK FOR THE CLIENT PASSWORD BEFORE PROCEEDING


// A FUNCTION TO RECOVER THE SESSION FINGERPRINT
function get_session_fingerprint($xfactor='MY SECRET CODE')
{
    // GET THE BROWSER IDENTITY AND THE CLIENT URL
    $host = isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"]   : NULL;
    $uri  = isset($_SERVER["REMOTE_ADDR"])     ? $_SERVER["REMOTE_ADDR"]       : NULL;

    // ENCODE THESE VALUES ALONG WITH OUR X-FACTOR
    $code = md5($host . $uri . $xfactor);

    // IS THERE A MATCH?
    if (isset($_SESSION["fingerprint"]))
    {
        if ($_SESSION["fingerprint"] == $code) return $code;
    }
    return FALSE;
}

// A FUNCTION TO SET THE SESSION FINGERPRINT
function set_session_fingerprint($xfactor='MY SECRET CODE')
{
    // GET THE BROWSER IDENTITY AND THE CLIENT URL
    $host = isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"]   : NULL;
    $uri  = isset($_SERVER["REMOTE_ADDR"])     ? $_SERVER["REMOTE_ADDR"]       : NULL;

    // ENCODE THESE VALUES ALONG WITH OUR X-FACTOR AND STORE THE RESULT IN THE SESSION
    $code = md5($host . $uri . $xfactor);
    $_SESSION["fingerprint"] = $code;
    return $code;
}


// DEMONSTRATE THE USE OF THESE FUNCTIONS
session_start();

// IF THE SESSION IS NEW, THERE IS NO FINGERPRINT YET
if (!isset($_SESSION['fingerprint']))
{
    // MAN PAGE: http://php.net/manual/en/function.session-regenerate-id.php
    session_regenerate_id();
    $code = set_session_fingerprint();
    echo "<br/>THE SESSION WAS NEW.  THE FINGERPRINT HAS BEEN SET TO $code";
}

// IF THE SESSION IS OLD, EXAMINE THE FINGERPRINT
else
{
    $code = get_session_fingerprint();
    if ($code)
    {
        echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS VALID: $code";
    }
    else
    {
        echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS BOGUS.";
    }
}


// DEMONSTRATE HOW TO TEST THIS WITH A VERBOSE EXAMPLE
if ($code = get_session_fingerprint())
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS VALID: $code";
}
else
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS BOGUS.";
}


// NOW MAKE IT LOOK LIKE THE CLIENT BROWSER CHANGED FROM ONE REQUEST TO THE NEXT (NOT LIKELY)
$_SERVER['HTTP_USER_AGENT'] = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; *BOGUS DATA STRING*)';


// DEMONSTRATE HOW TO TEST THIS WITH A VERBOSE EXAMPLE
if ($code = get_session_fingerprint())
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS VALID: $code";
}
else
{
    echo "<br/>THE SESSION FINGERPRINT INCLUDES ";
    echo "{$_SERVER['HTTP_USER_AGENT']} AND ";
    echo "{$_SERVER['REMOTE_ADDR']} AND OUR X-FACTOR";
    echo "<br/>THE SESSION WAS OLD.  THE FINGERPRINT IS BOGUS.";
}

Open in new window

Avatar of ang3lus

ASKER

Thanks very much A+++++
Thanks for the points - it's a great question! ~Ray