www.webdeveloper.com
Results 1 to 8 of 8

Thread: Randomized Session Keys

  1. #1
    Join Date
    Aug 2003
    Posts
    37

    Randomized Session Keys

    I have a quick question I was hoping could shed some light on. I have to pages I wanted to pass an object between. Basically, my way of doing it was to serialize the object, and store it in a session variable that was randomized by an mt_rand between 0 and 99999. So for instance, you would load the page, it would generated 12345, and store the serialized object in $_SESSION[12345]. I then created a form that had that randomized value (12345) in a hidden input that was passed to the second page.

    On the second page, the script would take that value, and look for it within the session, so, in this case, if $_SESSION['12345'] existed, it would load, but if not, it wouldn't. By doing this I would prevent people from loading the page with faked information on the object, or from reloading the page, as I destroyed both the object and the randomized value from the session at the end of the page. This was key to preventing an unfair exploit within my script.

    My question is why this wouldn't work? The ranomized value would stay in the session, and the object would, but only for the first page. As soon as the second page was loaded, it was just gone, as if it had never been set.

    I re-worked it so they are both stored within set variables, (in this case $_SESSION['object'] and $_SESSION['objectno']). It does work, and I think it will stop all the things that I expected to happen exploit-wise, so I don't think I absolutely need it to work the way I had originally planned. I'm really just interested as to why it didn't work.

    If anyone could shed any light on this it would be greatly appreciated.

  2. #2
    Join Date
    Jan 2009
    Posts
    3,346
    Sounds like it might be a coding logic problem. Post some code so we can take a look at it.

  3. #3
    Join Date
    Aug 2003
    Posts
    37
    This is basically the simplified code, as everything is done within the object.

    Page 1:
    PHP Code:
    $object = new object;
    $rand mt_rand(0,99999);
    $_SESSION[$rand] = serialize($object);

    echo(
    "<form action=\"page2.php\" method=\"post\">
    <input type=\"hidden\" name=\"id\" id=\"id\" value=\"
    {$rand}\" />
    <input type=\"submit\" name=\"go\" id=\"go\" value=\"Go!\" />
    </form>"
    ); 
    Page 2:
    PHP Code:
    $id $_POST['id'];
    $object unserialize($_SESSION[$id]); 
    Using print_r of $_SESSION on page 1 shows that the object does exist within the session, however using it on page 2 shows that it has seemed vanished from the session.

  4. #4
    Join Date
    Nov 2008
    Posts
    2,477
    Are you calling session_start on page 2?

  5. #5
    Join Date
    Aug 2003
    Posts
    37
    It along with session_regernate_id are called on every page. The entire project is one page (index) that loads a bunch of modules on it's main section.

    EDIT: Everyting else within the session stays, it's just the object that doesn't.
    Last edited by shmeeps; 06-03-2009 at 01:00 PM.

  6. #6
    Join Date
    Nov 2008
    Posts
    2,477
    Have you checked it is being added to the session correctly in the first place? Can't really think if anything else which would cause this.

  7. #7
    Join Date
    Aug 2003
    Posts
    37
    Yeah, again, using print_r right after it is assigned to the session variable on page1 shows that it does get set, but by page2 it has dissappeared, leaving the rest of the session untouched.

  8. #8
    Join Date
    Nov 2008
    Posts
    2,477
    Can you post up the full code for both pages?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles