codeLogic Posted July 18, 2011 Share Posted July 18, 2011 Hi Larry, This post is in regard to an idea regarding improving session security. I have read through your PHP & MySQL books (version 2 and 3). Thank you for writing such fine books. They are excellent :-) Here is my question: Would an IP fingerprint value test along with the HTTP_USER_AGENT test improve _SESSION security? Under your current heightened security method in PHP6&MySql (page 358) we rely on the below $_SESSION['HTTP_USER_AGENT'] to create a user agent value at login. Then, each time a page is accessed after login this value is tested. <?php // Create the agent session variable. $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); // On logged in pages / restricted access pages. // Run this test $user_print = md5($_SERVER['HTTP_USER_AGENT']); if ( (!isset($_SESSION['agent'])) || ( $user_print != ($_SESSION['agent']) )) { // Refuse Access if tests passed. } ?> Every time a restricted access page is accessed we test this _SESSION agent value against the current fingerprint value of the user. If they do not match then we know the session has been highjacked and we kick the user out. Thus, if someone wants to highjack a user's session they must 1.) mimic the real users operating system and browser settings etc. 2.) Highjack the current users session id. I am thinking about adding another test using $_SERVER['REMOTE_ADDR']. According to the PHP5 manual the $_SERVER['REMOTE_ADDR'] returns IP address from which the user is viewing the current page. Then, we would have a second test which would be something like: <?php // Set this session variable in the login page. $_SESSION['ipRecord'] = md5( $_SERVER['REMOTE_ADDR']); // Run this test on the Logged in pages. $userIp = md5($_SERVER['REMOTE_ADDR']); if ( (!isset($_SESSION['ipRecord'])) || ( ($userIp != ($_SESSION['ipRecord']) )) { // Refuse Access if tests passed. } ?> If we made this $_SESSION['ipRecord'] variable, then we would test the $_SESSION['agent'] value and the $_SESSION['ipRecord'] value everytime a restricted access page would be requested. I was thinking this would require a malicious user to mimic two user settings rather than one. They would be required to: 1.) Know what the user's OS and browser are and then have to make their machine imitate these values. 2.) They would also have to know the users IP address and fake the IP address on their machine too. Is it hard for a malicious user to fake an IP address? Would this improve the security of a site? Or, would it just increase the complexity of my code without any security benefit? Any advice would be much appreciated. :-) Regards. Link to comment Share on other sites More sharing options...
Larry Posted July 18, 2011 Share Posted July 18, 2011 Thanks for the nice words on the books. It is appreciated. In answer to your question, yes, that would improve security, in theory. Which is the same for the session agent. The trick in both cases is that sometimes the ISP (of the user) lumps multiple user's information into one, or provides generic information. For example, at a public library, every computer might have the same agent information (because all computers would be running the exact same software) and every computer might have the same visible IP address. So these two techniques wouldn't prevent someone pulling a trick from the same exact place. But I do think it would add a tad more security, as it limits the likelihood of success from separate computers in separate areas. As another example of using IP addresses, a couple of personal finance sites I use record the IP address that I normally use. If I access the sites from another IP address, secondary security questions and approaches are used to verify it's me. Link to comment Share on other sites More sharing options...
codeLogic Posted July 18, 2011 Author Share Posted July 18, 2011 Thank you for the quick response. Regards. Link to comment Share on other sites More sharing options...
Recommended Posts