PHP Classes

Secure Session: Prevent session hijacking or session fixation

Recommend this page to a friend!
  Info   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum (21)   Blog    
Ratings Unique User Downloads Download Rankings
StarStarStarStar 62%Total: 13,512 All time: 79 This week: 71Up
Version License Categories
secure_session 1.0.0GNU General Publi...User Management, Security
Description 

Author

This class can be used to prevent security attacks known as session hijacking and session fixation.

When a session is initialized the class computes a fingerprint string that takes in account the browser user agent string, the user agent IP address or part of it and a secret word. If the fingerprint value changes, it is very likely that the session was hijacked and it should no longer be accepted.

To prevent session fixation attacks the calls the PHP session_regenerate_id() function so the session identifier changes everytime the session is checked.

Innovation Award
PHP Programming Innovation award nominee
January 2006
Number 2


Prize: One book of choice by O'Reilly
Sessions have become one of possible features that can be exploited to perform security attacks to PHP sites.

Sessions are not insecure by themselves, but if they are not used with a certain care, they may be eventually abused by malicious users.

Session hijacking abuses can happen when somebody with privileged network access can sniff traffic that goes to potential victim site. Session fixation abuses can happen when a site uses the same session identifier for the same user before and after he authenticates to log in.

This class provides a solution to prevent these kinds of session abuses to prevent that PHP sites that use sessions become compromised.

Manuel Lemos
Picture of Vagharshak Tozalakyan
Name: Vagharshak Tozalakyan <contact>
Classes: 22 packages by
Country: United States United States
Age: 44
All time rank: 61 in United States United States
Week rank: 71 Down8 in United States United States Down
Innovation award
Innovation award
Nominee: 7x

  Files folder image Files  
File Role Description
Files folder imagesample (2 files)
Plain text file securesession.class.php Class Source

  Files folder image Files  /  sample  
File Role Description
  Accessible without login Plain text file index.php Example Sample
  Accessible without login Plain text file login.php Example Sample

 Version Control Unique User Downloads Download Rankings  
 0%
Total:13,512
This week:0
All time:79
This week:71Up
User Ratings User Comments (7)
 All time
Utility:90%StarStarStarStarStar
Consistency:87%StarStarStarStarStar
Documentation:-
Examples:84%StarStarStarStarStar
Tests:-
Videos:-
Overall:62%StarStarStarStar
Rank:888
 
absolutely great wordk.
13 years ago (Can Berk)
70%StarStarStarStar
Not the most secure way of doing things possible, but provide...
13 years ago (troy knapp)
67%StarStarStarStar
just wanted to say thanks for sharing the hard work(& update)!
13 years ago (James S)
65%StarStarStarStar
Very nicely done.
15 years ago (Michael A. Peters)
70%StarStarStarStar
does not properly handle users behind proxy servers
16 years ago (david saez)
52%StarStarStar
Great script.
16 years ago (Dennis Granger)
70%StarStarStarStar
thanks
16 years ago (calvin)
35%StarStar