PHP session security.

Scoobler

Hello,

I am trying to build a site, it is very low usage as in there are really only 12 or so people who will acutally use the site, maybe more guests, but not many.

I am trying to create a security system for it, each page has several uses. Here is a very cut down version of my code:

<?php

####################
# The following code is part of a file included in every viewable page.
####################

// Start session off
session_start();

// Encrypt a finger print:
$setword = "SomethingAboutThisSite";
// Include: IP,	Browser, Username, 
//					Setword - Make sure this finger print is unique to this site.
//					User Active - incase a user is deactivated during their session by a higher user.
$setfinger = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$_SESSION['user'].$_SESSION['user_active']);

####################
# The following takes place after sucessfull completion of username and password 
# in a login script.
####################

$_SESSION['user_finger'] = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$username.$user_active);
// Username, as entered. User_active is taken from the DB.


####################
# Each page has multiple purposes, guests, users and higher users, this is how its checked:
####################

// Check if the user is authenticated:
if (($_SESSION['user_finger'] == $setfinger) & ((time() - $_SESSION['login_time']) < 3600 ))
{
	if ($_SESSION['user_level'] == "higher")
	{
		// Whatever a higher powered user can do on this page.
	}
	else
	{
		// Whater a normal user can do on this page.
	}
else
{
	// What ever a guest can do on this page.
}

####################
# Each page has a footer which tidies up some script and formatting of the page
####################

// Included is some code to extend the log in time, so as long as they are
// active they stay logged in.

// There is also some code which adds details to a database to show when the user
// was last active and what page they were viewing. 
// This is so higher users can see who is currently logged in and what they are 
// doing. 
// Any entry past the sessions expiry time is removed from the database.
// A log is also made against the users details of their last activity time, which 
// remains till their next login.

?>

What do people think?

What are the security risks with using something like this?

The actual code won't be public in anyway so variables and things shouldn't be known?

Thanks in advanced!

Scoobler.

knowj

As with most session systems you are venerable to session hijacking.

No login script is completely secure but security is really something to measure on the value of the information

If you have access to millions of $$$ or £££ the security would need to be much greater then the security to protect your mates from reading your diary entry.

People will invest money in getting at valuable information if they can get a return otherwise.

On a site with 12 users the most basic session script should be sufficient. just cover your back on your login against brute force and SQL injection etc...

Also you already have a unique ID (the session ID) so you dont need the hash read this post for a deeper insite:
http://phpbuilder.com/board/showthread.php?t=10352793

s0me0ne

Read this dudes blog
http://shiflett.org/

He is pretty much a security guru. You'll learn a lot, he has written several books on security.

Weedpacket

knowj wrote:
On a site with 12 users the most basic session script should be sufficient.

Of course, "number of people who should have access" isn't a very good measure of "how important it is to maintain confidentiality".

$setfinger = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$_SESSION['user'].$_SESSION['user_active']);

$_SESSION['user_finger'] = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$username.$user_active);
// Username, as entered. User_active is taken from the DB.

So the justification for doing this (rather than simply seeing if, say, $_SESSION['is_logged_in'] is true) is in case someone is able to get hold of your stored session data? That would be more of a risk in a shared hosting environment where you're using files to store session data (instead of dedicated hosting, or db storage or session data, or both). If you've got a dedicated server and an attacker can get in to get the session data, then this code isn't going to slow them down any.