Hello there, first time in the DPF so please excuse me for any misdemeanors relative to the local etiquette Considering a Login.htm -> Authentication.php -> Main.php model, I would like to be as sure as possible that the user accessing the Main.php is the expected one, so, essentially, I am writing code against session hijack. Also, take note that once in Main.php, every internal action is submitted to the same page, so I am checking for session verification in every refresh. My thought is that at the moment a user provides valid authentication at the Login.php (checked at Authentication.php which redirects to Main.php if successful), a hash containing the user's password(hashed again), and the user's IP is inserted into the DB, along with a timestamp, the user's name, and a boolean (TRUE while the session is still active, FALSE otherwise). In addition, the hash of the password is submitted via POST. Every time the Main.php is loaded, it creates a hash, based on the POSTed password hash, and the user's IP, and compares it with the valid sessions in DB. it proceeds with the rest of the code only if the comparison is successful. Also, it compares the current timestamp, with that in the DB, and succeeds only if it is not above 5 minutes (meaning the user hasn't taken an action for that long). As you can see, the entire authentication process is done server side, with the sole exception of the IP retrieval, and the name/password inserted by the user. Of course, name/password retrievals are checked for illegal characters before proceeding. I suppose it is evident that I do not use the in-built $_SESSION nor I make use of HTTP_REFERRER. I consider the first redundant, and the later insecure and unreliable. I kindly ask for an evaluation of the above presented code description as far as security against session hijacking is considered. Thanks in advance.
In my opinion you are only stressing your server; Even the session that you are taking so hardship for could be hijacked so its basically wasting resource. And without session variable I assume you ask password from user after every 5 minute idle time which is inconvenient for user.
As far as the server stress, this is something I am worried about. No, no need to ask for password again,every time the session is validated as correct, it puts a new timestamp. Could you please tell me a possible hijacking scenario under those circumstances? I do not so much care about direct server hijacking, since server security is the responsibility of my host, and anyway in such cases I do not think any coding could save me.
If you are not asking for password than you are calling session variable isn't it ? And that puts you back where you started from.
Uhm, actually no. I simply pass the hashed password via POST, in each refresh. In the DB, I have stored this (pseudocode): hash($_SERVER['REMOTE_ADDR'] + hash(password)) So, with the POSTed hash(password), and with $_SERVER['REMOTE_ADDR'] I make a string, that is compared to the DB. If a match is found, this means: The user knows the password, since to be POSTed, he logged into with it. The user has the same IP address. If the match is successful, I simply UPDATE the timestamp.
In my opinion passing post data in every refresh is not only bad for server side but client side too since the data is stored in browser and unless you are using secure transit connection than person with correct information can jack it from there. I don't see how it would be bad to simply hash session id + user ip and store in database. Session hijacking is easy but jacking ip is not very easy and since your hash will only verify if ip and session are both matched. It would ease your server aswell as provide faster load times. You can add timestamp the same way. Sessions are very good if used correctly even the biggies like google, paypal uses sessions; keep tweaking until you find your best option.
Well, as much as I try, I cannot find a hole in what you say it does what I want it to do, but simpler, faster and more secure than how I wanted to do it As I understood, it is nearly impossible to be secure from session hijacking, but at least I can work around the idea that the stolen session will be obsolete. Thank you a lot for your assistance
Not nearly its completely impossible to be at 100% its just that one should be wake and not let lose. You method is practically working but if you start to analyze than you will find that it could be made better. So just keep on going when you feel I am done than others will start feeling we should start. Best of luck.