All geek questions in one place

Should I respond to my security SESSIONS?

To provide my SESSIONS page, I have the following pages.

My questions

  • Am I overreacting to this?
  • Should I put a token in login.php instead of loginForm.php?
  • When a user logs in, I save his IP address in the database. Should I use this for authentication?

Thanks to the community.

Login form loginForm.php

$token = md5(uniqid(rand(),TRUE)); <input name="login" type="text" class="textfield" id="login" /> <input name="password" type="password" class="textfield" id="password" /> <input type="hidden" name="token" value="<?php echo $token; ?>" /> <input type="submit" name="Submit" value="Login" />

When the user registers login.php

 $fingerprint = sha1('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$_POST['token']); session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['member_id']; $_SESSION['SESS_TOKEN'] = $_POST['token']; $_SESSION['SESS_FINGERPRINT'] = $fingerprint; session_write_close(); header("location: index.php"); exit();

Authentication on every page auth.php

  session_start(); $fingerprint = sha1('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$_SESSION['SESS_TOKEN']); if( !isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '') || ($_SESSION['SESS_FINGERPRINT'] != $fingerprint) || !isset($_SESSION['SESS_TOKEN']) || (trim($_SESSION['SESS_TOKEN']) == '') ) { header("location: denied.php"); exit(); }
+6
source share
2 answers

To answer your first 3 questions:

  • Am I reacting too much to this?

    Nope. Poor Session Management Number 3 on the OWASP Top 10 Vulnerability List . There are several problems with your implementation, but overall it’s a good idea.

  • Should I put a token in login.php instead of loginForm.php?

    View. You must put the beginning of the token in the session directly. Then paste it into the form from the session. This way you can verify that the submission of the form was the same session that requested the form (can prevent certain attacks). This basically prevents CSRF attacks.

  • When a user logs in, I save his IP address in the database. Should I use this for authentication?

    Not. Users will often log in from multiple computers. There is no IP-> user mapping that will really be possible. IP-> session matching may work better, but remember that quite a few users remain behind the dynamic IP address, so it can be unreliable even for sessions.

And here are some comments on your code:

  • Token generation. . Now you use the following algorithm:

     $token = md5(uniqid(rand(),TRUE));

    I would personally change this to something more random and safer. Sort of:

     $token = md5(uniqid(mt_rand() . mt_rand(), true);

    Or, if you have mcrypt installed, I would do this instead:

     $token = md5(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

    The reason is that both of these functions have significantly higher entropy (which means that they will generate a large number of unique values), and they are more difficult for the guesser.

  • Fingerprint. Now you are doing:

     $fingerprint = sha1( 'SECRET-SALT' . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'] . $_POST['token'] );

    There are several issues with this. First of all, dynamic IP addresses will erroneously cancel the session. Secondly, there is no real reason to hash this data. Store each in a separate field, and then test them separately. This can help prevent a specific theoretical attack when a user with a different remote IP address can create a fake token and useragent, which leads to the same hash (and therefore can β€œcrack” a fingerprint). Thirdly, you use the entered token as identification data. This can lead to a session lock .

    I would suggest that it stores each piece of information in its own session variable and checks them separately. Also, use the session token that you generated in the previous request, and just make sure the published token matches the one you saved.

  • Session Verification. It is very good. I would suggest moving it to a separate function so that it is easy to change if you need to change the algorithm. So you just call:

     require_once 'session.php'; verifySession();

    At the top of each file ...

What you have is clearly procedural, and may benefit from some kind of design and abstraction, but for the most part this is pretty good (the above comments aside).

+4
source

The first thing you need to do is manage your session capture . This means session_regenerate_id() when the user logs in. After that you should use https .

+1
source

Source: https://habr.com/ru/post/895774/

More articles:


All Articles