NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session Handling

Jonathan hendler at simmons.edu
Mon Aug 1 10:01:27 EDT 2005 

I've had similar questions regarding IP security.
We didn't use IP addresses to uniquely identify users because they were 
redundant.
We tried to hash browser agents and other items client items to identify 
users.
Here is the belief that I would also like to know a definitive answer to 
that made us not use IP addresses:
corporate networks, some schools, AOL, and other groups behind a 
gateway/router are all going to appear to be the same IP.
There was a "forwarded" ip that could append an internal IP with the 
gateway IP or something to that affect, but I haven't implemented 
anything like that and would like to know if it is practical.

We require cookies and SSL and that seems to do the trick for most 
secure apps.

Joseph Crawford wrote:

> Hello Everyone,
>
> I have implemented my session handling to take place in the database 
> rather than flat files on the system.  No i have a question.  I read 
> somewhere that it is always good to check the IP of the user to make 
> sure the session has not been hijacked.  Would the following be secure 
> enough for that?
>
>
> <?php
>
> class session
> {
>     /* Define the mysql table you wish to use with
>     this class, this table MUST exist. */
>     private $table = "sessions";
>     private $_db;
>     private $_page;
>     private $_sess_id;
>     private $_ip;
>
>
>     public function __construct(Database $db) {
>         $this->_db = $db;
>     }
>
>     public function init() {
>         $this->_sess_id = session_id();
>         $this->_page = $_SERVER['REQUEST_URI'];
>         $this->_ip = $_SERVER['REMOTE_ADDR'];
>        
>         $this->CheckIP();
>     }
>
>     public function open($path, $name) {
>
>         return TRUE;
>     }
>
>     /* Close session */
>     public function close() {
>         /* This is used for a manual call of the
>         session gc function */
>         $this->gc(0);
>         return TRUE;
>     }
>
>     /* Read session data from database */
>     public function read($ses_id) {
>
>         $session_sql = "SELECT * FROM " . $this->table
>         . " WHERE ses_id = '$ses_id'";
>         $session_res = $this->_db->Query($session_sql);
>         if (!$session_res) {
>             return '';
>         }
>
>         $session_num = $this->_db->NumRows($session_res);
>         if ($session_num > 0) {
>             $session_row = $this->_db->FetchArray($session_res);
>             $ses_data = $session_row["ses_value"];
>             return $ses_data;
>         } else {
>             return '';
>         }
>     }
>
>     /* Write new data to database */
>     public function write($ses_id, $data) {
>
>         $this->init();
>
>         $session_sql = "UPDATE " . $this->table
>         . " SET ses_time='" . time()
>         . "', page='".$this->_page
>         . "', ses_value='$data' WHERE ses_id='$ses_id'";
>         $session_res = $this->_db->Query($session_sql);
>         if (!$session_res) return FALSE;
>
>         if($this->_db->AffectedRows()) return TRUE;
>
>         $session_sql = "INSERT INTO " . $this->table
>         . " (ses_id, ses_time, ses_start, page, ip, ses_value)"
>         . " VALUES ('$ses_id', '" . time()
>         . "', '" . time() . "', '$this->_page', '$this->_ip', '$data')";
>         $session_res = $this->_db->Query($session_sql);
>         if (!$session_res) return FALSE;
>         else return TRUE;
>     }
>
>     /* Destroy session record in database */
>     public function destroy($ses_id) {
>         $session_sql = "DELETE FROM " . $this->table
>         . " WHERE ses_id = '$ses_id'";
>         $session_res = $this->_db->Query($session_sql);
>         if (!$session_res) return FALSE;
>         else return TRUE;
>     }
>
>     /* Garbage collection, deletes old sessions */
>     public function gc($life) {
>         $ses_life = strtotime("-5 minutes");
>
>         $session_sql = "DELETE FROM " . $this->table
>         . " WHERE ses_time < $ses_life";
>         $session_res = $this->_db->Query($session_sql);
>
>
>         if (!$session_res) return FALSE;
>         else return TRUE;
>     }
>
>     private function UpdatePage() {
>         $session_sql = "UPDATE ".$this->table." SET 
> page='".mysql_real_escape_string($this->_page)."' WHERE 
> ses_id='".$this->_sess_id."'";
>         $this->_db->Query($session_sql);
>     }
>
>     private function CheckIP() {
>         $intIP = explode('.', $this->_ip);
>         $curIP = explode('.', $_SERVER['REMOTE_ADDR']);
>         if( !strcmp($intIP, $curIP) ) {
>             $sess_sql = "DELETE FROM ".$this->table." WHERE 
> ses_id='".$this->_sess_id."'";
>             $this->_db->Query($sess_sql);
>             session_destroy();
>         }
>     }
> }
> ?>
>
>
> Is this a good enough check for the IP?  If the IP check fails it 
> should remove the session from the database, but also it calls 
> session_destroy  Why did i do it this way rather than just calling 
> $this->destroy() or just using session_destroy?  I noticed that it was 
> not actually removing the session from the database if i did not 
> actuall make the database query myself.  Any criticism would be 
> appreciated as this is my first attempt at storing sessions in the 
> database (with the help of a zend tutorial)
> -- 
> Joseph Crawford Jr.
> Codebowl Solutions, Inc.
> 1-802-671-2021
> codebowl at gmail.com <mailto:codebowl at gmail.com>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>

More information about the talk mailing list