InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Preventing Session Hijacking in PHP
PHP

Preventing Session Hijacking in PHP

InfinityCoder December 6, 2016

You want make sure an attacker can’t access another user’s session.

Allow passing of session IDs via cookies only, and generate an additional session token that is passed via URLs.

Only requests that contain a valid session ID and a valid session token may access the session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ini_set('session.use_only_cookies', true);
session_start();
 
$salt      = 'YourSpecialValueHere';
$tokenstr  = strval(date('W')) . $salt;
$token     = md5($tokenstr);
 
if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {
    // prompt for login
    exit;
}
 
$_SESSION['token'] = $token;
output_add_rewrite_var('token', $token);

This example creates an auto-shifting token by joining the current week number with a salt string of your choice. With this technique, tokens will be valid for a reasonable period of time without being fixed.

The salt prevents someone from calculating their own MD5 hash of a date far in the future and using it to extend a session.

Without knowing the particular salt you’ve chosen, someone can’t easily produce a valid token.
We then check for the token in the request, and if it’s not found, we prompt for a new login.

If it is found, it needs to be added to generated links. output_add_re write_var() does this easily.
Note that this mechanism won’t defeat an attacker who can sniff all of the traffic between a user and your server (for example, on an unencrypted WiFi network).

Running your site over SSL is the best way to prevent that kind of attack.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Passing Input to a Program in PHP
You want to pass input to an external program run …

Passing Input to a Program in PHP

Uninstalling PEAR Packages in PHP
You wish to remove a PEAR package from your system. …

Uninstalling PEAR Packages in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap