php session login security help

[deller]

Hi, i am trying to set up a php login session securely.
This is to mean, i want to prevent session hijacking and fixation.

Eventually, i want to use both a username and a password, but now it just has a password.

here is my code
everything seems to work fine, but how do i test for security flaws like hijacking and fixation?
what does checking for an IP and using session_regenerate_id() actually do?
am i better off doing this with cookies? if so, wont the password/username be vulnerable to sniffing?
what tips do you have for making this better?

I want this to be as secure as possible. (hosting doesn't allow SSL - shared)

live demo: http://bp.businessconsultingllc.com/...al/session.php

PHP Code:

<?
    session_start();
    if (!isset($_SESSION['created'])) {
        $_SESSION['created'] = time();
    }
    
    if(time()-$_SESSION['created']>30)
    {
        session_destroy();
        session_unset();
        exit('TIMEOUT<br /><a href="?pass=pass">login</a>');
    }
    
    if(isset($_SESSION['pass']) && $_SESSION['pass']=='pass' && $_SESSION['ip']=$_SERVER['REMOTE_ADDR'])
    {
        session_regenerate_id();
        echo 'Already Logged In<br />';
        echo session_id ()."<br />";
        $_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
    }
    else if(isset($_GET['pass']) && $_GET['pass']=='pass')
    {
        session_regenerate_id();
        echo session_id ()."<br />";
        $_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
        echo $_SESSION['ip']."<br />";
        $_SESSION['pass']=$_GET['pass'];
        echo $_SESSION['pass']."<br />";
    }
    else
    {
        session_destroy();
        session_unset();
        exit('Failed<br /><a href="?pass=pass">login</a>');
    }
    
?>

[Nvenom]

Most people on here will say that sessions are the way to go and they are in most cases, But for me when it comes to logins i just use cookies multiple cookies and make sure they all match as it has never failed me. so if one dosent match they cant get in.. end of story. once again though sessions are alot more secure if you have one of those websites everyone wants to hack. Just remember the more variables that have to match the more secure it can become. (the best way to learn security is to learn hacking)

[deller]

thanks for your response. Cant cookies be sniffed? the hacker could then just put those into his browser and login as a that valid user. Or am i missing something?

I *think* the code i have works to prevent session hijacking and fixation, but i want verification. Can anyone verify?

[Nvenom]

hacking can happend no matter what if somone is determined enough. cookie sniffing is one of many ways that cookies are vulnerable. Most hackers sniff by planting other cookies that sniff it out. the one way to prevent that is to make the ip one of the things the server checks against, like yours does. A good way of being secure is to break up your security into multiple parts by grabbing a variable from a session and comparing it to a cookie. its a good way to trick hackers who think there getting everything with your cookies and are blinded by your hidden session. the other way is to completely dump somones cookies when they login to your site.. although that can piss some people off.

[deller]

Suppose i wanted to use asymetric encryption (RSA) to get login and registration data.
Is it safe to store the private key in a session? or is a database better?

Assuming i have less than 1000 users and less than 100 at a time, will this be a significant load on the server if i save private keys in the database?

[Nvenom]

You will be fine mysql servers can deal with quite a bit of traffic. Databases are always safer, just make sure to escape everthing.

[deller]

yea, about that. Whats better? addslashes() or real_mysql_escape_string()?

Whats the real difference?

[criterion9]

yea, about that. Whats better? addslashes() or real_mysql_escape_string()?

Whats the real difference?

Don't use addslashes. Always use the *_escape_* methods available for the specific DB. Add slashes doesn't properly escape many cases and can cause extra slashes to appear in your content that can be terribly difficult to track down and correct.

[deller]

OK, thanks.

Do you guys know of any other ways to protect sessions than the ones i used? i still dont know what sessionregenerateid does exactly?

[criterion9]

OK, thanks.

Do you guys know of any other ways to protect sessions than the ones i used? i still dont know what sessionregenerateid does exactly?

sessionregenerateid cause the sessid to be recreated. This is particularly useful when switching between access levels (such as from guest to admin or back). This will prevent a man-in-the-middle attack allowing a hacker to grab the sessid from a non-authenticated user and continuing to use it after the user has authenticated giving the attacker a higher privilege level then they were entitled.

I would recommend reading Essential PHP Security by Chris Shiflett. It is a relatively cheap book and a quick read but covers lots of security principles as they can be applied to PHP scripts.

[WonDer9]

I'm a noob so i have to ask, but does security require creating any kind of function or separate application? just wondering cause sometimes when creating scripts it gets hard to get by all the garble and get straight to the scripting cause of all the technical stuff.

is just escaping a string good enough for security or is this a patch thing similar to dealing with windows( pretty much never gonna be solved so deal with the risk).

[Nvenom]

escaping is really all you need to keep people from doing sql injection

[deller]

Escaping will only prevent sql injection attacks.

Escaping does not, however prevent session fixation/hijacking or other sniffing/man in the middle attacks.

Basically, you need to ask yourself how secure you want your website to be? do you just want to host a discussion forum? or are you trying to conduct ecommerce or banking on your website? or something in the middle?

for forums and other low security things, a simple login script using hashed passwords would probably be ok.

For online banking or ecommerce you want strong encryption for every message that goes between the server and client. SSL is popular, but expensive.

[WonDer9]

well that was my problem. I found SSL and they made it seem like once you had the certificate on your site they handled everything.

But I'm like that wouldn't be good enough for sites like google, facebook, or even paypal. so what else is missing in creating secure sites. kinda felt like theres this secret coding language that only a few developers know and we are just dealing with the baby stuff.
like super xml C/cocoa omega alpha beta coding and stuff.

But i'm just a noob whos not sure of his site security, thanks for the out look. Kinda feel safer to build my sites now.