NYCPHP Meetup

NYPHP.org

[nycphp-talk] Experts help needed (Sessions)

Brian O'Connor gatzby3jr at gmail.com
Mon Aug 8 12:44:49 EDT 2005 

Well I knew I was doing a poor job before, but this session discussion has 
finally brought me to finally design a new system. However, I think in order 
to prevent against something, you need to first learn how it works, which is 
why I write. What is session hijacking, and how do you do it? I'm currently 
designing a new site where security is very important, and I feel the need 
to go fully into this. If anyone could explain, or point me to some articles 
( can't really afford books at the moment, about to leave for college and 
don't really have that much money ) I would greatly appreciate this. Thank 
you.

On 8/8/05, Joseph Crawford <codebowl at gmail.com> wrote:
> 
> the way i currently have it is like this
> 
> define('SES_KEY', md5('CUSTOM_STRING'));
> 
> $key = 
> md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.session_id().$data['ses_start']);
> $key = str_mix($key, SES_KEY);
> 
> this will create a key 64 chars long. i needed a way to have it mix the 
> strings but mix them the same way every time so str_shuffle would not work 
> for me. I created the following function which just takes the first char 
> from str1 and str2 and combines like so
> 
> str1_1.str2_1.str1_2.str2_2.str1_3.str2_3, etc..
> 
> function str_mix($str1, $str2) {
> if(strlen($str1) != strlen($str2)) return FALSE;
> else {
> $len1 = strlen($str1) - 1;
> $string = '';
> for($x = 0; $x <= $len1; $x++) {
> $string .= $str1{$x}.$str2{$x};
> }
> return $string;
> }
> }
> 
> i take this string and store it in the database next to the session_id. 
> Every page load i create this string based on my custom string and the user 
> info, and then i compare it with the one in the database. if they match 
> everything is ok, if not, something is wrong.
> 
> -- 
> Joseph Crawford Jr.
> Codebowl Solutions, Inc.
> 1-802-671-2021
> codebowl at gmail.com 
> 
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 
> 


-- 
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050808/b1464e5a/attachment.html>

More information about the talk mailing list