Zend - The PHP Company




Security

Add Code


A Program to Create (Relatively) Secure Sessions  
Type: code fragment
Added by: mattr
Entered: 31/07/2000
Last modified: 02/12/2004
Rating: **** (21 votes)
Views: 27920
Creates cookies to keep track of a logged in user. A lot of md5 + server-side secret keeps normal "crackers" from forging tickets. Good for times when you don't have SSL. UPDATE: For added security, place secret.php outside of your web tree so that if PHP breaks they can't easily reach the hash value. Also, forgot to add the PASSWORD into the hash! Silly me! TODO: Make the cookies update as the user continually checks in so that the cookies expire after X seconds of INACTIVITY vs. a flat 36000 seconds.


<?PHP  
 // secret.php: 
  $secret md5"sdfkjsdkflhkh23hkjsdk#$@%$#%DSF" );  
 ?> 

<?PHP 
 // validate.php 

/////////////////////// 
// Function Name   : validate 
// Function Purpose: Validates the user's ticket and makes sure they are logged in 
// Recieves        : $username - the username of the current user; 
//                   $session_key - the session key of the user; 
//                   $expriation_time - how long till the ticket expires?; 
//                   $hash - hash of all three of those + server secret;
//                   $passhash - password of the current user
// Returns         : 1 if validated, 0 otherwise 
/////////////////////// 
 function validate$username$session_key$expiration_time$hash$passhash ) { 

  include "secret.php"

  $h md5$username 
            $session_key 
            $expiration_time 
            $secret .
            $passhash ); 

  if( $hash == $h && time( ) < $expiration_time ) { 
    return 1
  } else { 
    return 0
  } // end if 

 // end function validate 

// end validate.php 
 ?> 


<?PHP 
  // login.php 
  // do some login type stuff 
  // username and password verified via some method; 
  // $username holds the contents of their username 
  // $password holds the contents of their password
  
  require( "secret.php" ); 

  $session_key microtime( ) . $username

  $expiration_time time( ) + 36000

  $passhash md5$password $secret );

  $hash md5$username 
               $session_key 
               $expiration_time 
               $secret .
               $passhash ); 

  setcookie"username",        $username,        time( ) + 36000"/"""); 
  setcookie"session_key",     $session_key,     time( ) + 36000"/"""); 
  setcookie"expiration_time"$expiration_timetime( ) + 36000"/"""); 
  setcookie"hash",            $hash,            time( ) + 36000"/"""); 
  setcookie"passhash",        $passhash,        time( ) + 36000"/"""); 

 // end login.php 
 ?> 


Usage Example


<?PHP
  // make login.php the result of some sort of form, or just include it and add a username var
  //require( "login.php" );
  require( "validate.php" );
 ?>
 <HTML>
  <HEAD>Logged in?</HEAD>
  <BODY>
    <P>Are you logged in?</P>
    <?PHP
      if( validate$username$session_key$expiration_time$hash ) ) {
      ?>

      Yes you are!

      <?
        } else {
      ?>

      No you are not!

      <?
        // end if
      ?>
     ?>
  </BODY>
</HTML>


Rate This Script





Search



This Category All Categories
Solutions
Products
Services
© 2013 Zend Technologies Ltd. All rights reserved.