Need basic session randomness for dummies help.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Up to this point I've been just using cookies for user login
verification, simply seeing is cookie is set, if so if the value of it
matches a set string--if so, present page, if not, present login form.
OK, you don't have to tell me how gawdawful insecure and stupid this
has been...I know. Save the insults, I am aware, thus here I am asking
about better secure info since now I'm designing a site on which
security matters and it's not just a hobby.

So, here's my problem:

I'm reading through the net and PHP manual about sessions. And
everything I'm reading seems to be leaving something very important
out as if it's too obvious and doesn't need to be included--but it's
not obvious to me and I don't know what it is.
For example:
He says:

If nothing in the world could determine you to filter every incoming
message than the least you can do is to use a security token at all
time. A light example of such a token could be:

   $token = md5(uniqid(rand(), true));

Alright, so, how does one USE this security token?? How is it applied?
In the comments it says:

@Stelian, Go random, too! I generate a random $token (similar to the
article above) and store that in my database. Then, hashing that
token, the IP address, and the agent string gives me my fingerprint
which is stored in the visitor=92s session.
Every page retrieves the token from the database and rehashes it with
the IP and user agent string. Thus, a person has to (a) beat the
random token and (b) appear to be the original user. Plus, the $token
is never transmitted to the client in anyway unless it=92s been hashed.

Well, that sounds really good and something I'd like to emulate...but
how does putting a randomly created "token" in the DB possibly help?
How is it used? If it's random, how in the world do you compare the
sessionid which was generated with the help of a random string against
a token that's presumedly different on every page and page visit??

In the PHP manual I see the most VERY basic of just seeing if
sessionid is set and if not, login, to user comments that deal with
extremely complex advanced issues...but I'm missing the part in
between where just basic randomality is introduced to the sessionid
process, before people go off on theory and technique debates of "my
hash can beat your hash up".

Does that make sense?
I can try to clarify more if need be, but I think if someone could
provide an example of basic "session 101" create and compare which
uses the most basic element of randomness (in the form of this
"token") I can then go off and research different methods of
generating a secure fingerprint.

Re: Need basic session randomness for dummies help.

Quoted text here. Click to load it

Based on continued searching, here's a little test of concept I came
up with...which doesn't work as I expect so, duh, I'm doing it wrong:


function getUnique(){
    global $_SERVER;
    $unique = $_SERVER['HTTP_USER_AGENT'].$_SERVER
    $unique .=3D isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER
    $unique .=3D uniqid(microtime());
    print "pre: $unique :end";
    $uniqueID = md5($unique);
    return $uniqueID;

if(!session_id() || session_id() =3D "") {
    echo session_id() . ' NEED TO LOG IN';
} else {
    echo session_id() . ' You are logged in.';

all I ever get, even after deleting the PHPSESSID cookie, is:
199f397e7af895bf407c7ccd34f5ab1b You are logged in.
So, it's obviously never triggering
if(!session_id() || session_id() =3D "") {

But, also, that hash NEVER changes unless I manually delete PHPSESSID
cookie out of the browser, so session_destroy() doesn't seem to be
working as I expect either.

Now, aside from that, because I'm sure I'll end up figuring that one
out, is this an acceptable method of creating a session_id?
And I'm still completely flummoxed about the whole $token issue and
putting a random string in a DB and how that will help.

Any feedback on that would be great!

Re: Need basic session randomness for dummies help.

Quoted text here. Click to load it

No suggestions? :(

Re: Need basic session randomness for dummies help.

Mechphisto wrote:
Quoted text here. Click to load it

Per the manual:

"session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie."

So the session id in the cookie does not change.

Quoted text here. Click to load it

Just let PHP generate the session id.  If you need extra security, you
should be using SSL, anyway.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline