Improving Session Security

[codeLogic]

Hi Larry,

 

This post is in regard to an idea regarding improving session security.

 

I have read through your PHP & MySQL books (version 2 and 3).

Thank you for writing such fine books. They are excellent :-)

 

Here is my question:

Would an IP fingerprint value test along with the HTTP_USER_AGENT test improve _SESSION security?

 

 

Under your current heightened security method in PHP6&MySql (page 358) we rely on the

below $_SESSION['HTTP_USER_AGENT'] to create a user agent value at login. Then, each time

a page is accessed after login this value is tested.

<?php

// Create the agent session variable.

$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);

// On logged in pages / restricted access pages.

// Run this test

$user_print = md5($_SERVER['HTTP_USER_AGENT']);

if ( (!isset($_SESSION['agent'])) || ( $user_print != ($_SESSION['agent']) )) {

// Refuse Access if tests passed.

}

 

?>

 

Every time a restricted access page is accessed we test this _SESSION agent value

against the current fingerprint value of the user. If they do not match then we

know the session has been highjacked and we kick the user out. Thus, if someone wants

to highjack a user's session they must 1.) mimic the real users operating system and

browser settings etc. 2.) Highjack the current users session id.

 

I am thinking about adding another test using $_SERVER['REMOTE_ADDR'].

According to the PHP5 manual the $_SERVER['REMOTE_ADDR'] returns IP address

from which the user is viewing the current page.

Then, we would have a second test which would be something like:

<?php

// Set this session variable in the login page.

$_SESSION['ipRecord'] = md5( $_SERVER['REMOTE_ADDR']);

// Run this test on the Logged in pages.

$userIp = md5($_SERVER['REMOTE_ADDR']);

if ( (!isset($_SESSION['ipRecord'])) || ( ($userIp != ($_SESSION['ipRecord']) )) {

// Refuse Access if tests passed.

}

?>

 

If we made this $_SESSION['ipRecord'] variable, then we would test

the $_SESSION['agent'] value and the $_SESSION['ipRecord'] value everytime

a restricted access page would be requested. I was thinking this would require a malicious user

to mimic two user settings rather than one. They would be required to:

1.) Know what the user's OS and browser are and then have to make their machine

imitate these values. 2.) They would also have to know the users IP address and fake

the IP address on their machine too. Is it hard for a malicious user to fake an IP address?

Would this improve the security of a site? Or, would it just increase the complexity of

my code without any security benefit? Any advice would be much appreciated. :-)

Regards.

[Larry]

Thanks for the nice words on the books. It is appreciated. In answer to your question, yes, that would improve security, in theory. Which is the same for the session agent. The trick in both cases is that sometimes the ISP (of the user) lumps multiple user's information into one, or provides generic information. For example, at a public library, every computer might have the same agent information (because all computers would be running the exact same software) and every computer might have the same visible IP address. So these two techniques wouldn't prevent someone pulling a trick from the same exact place. But I do think it would add a tad more security, as it limits the likelihood of success from separate computers in separate areas. As another example of using IP addresses, a couple of personal finance sites I use record the IP address that I normally use. If I access the sites from another IP address, secondary security questions and approaches are used to verify it's me.

[codeLogic]

Thank you for the quick response.

Regards.