want to create a session class

Re: want to create a session class

Hi,

I'm not sure what you are trying to do will work, as surely if a user does
edit the GET string by selecting "Copy Shortcut" and pasting it into the
address bar then these incorrect values will be sent to the page and be
hashed incorrectly. It would only work if a user clicked on a link then
edited it, but this might also incorrectly catch users that click a link,
then press back and click a different link.

A better way to protect a web application from user hacking is to, at every
possible opportunity, test user data to make sure that they are allowed to
edit certain records eg. as soon as you get the id=55 check whether that
user has permission to access record no.55, and if not abort the page.

Also another very important thing to guard against is SQL injection bugs in
your code.

As for checking whether post/get data isn't hijacked there's no way to know
for sure as a hacker will probably have the ability to do that
transparently, the best you can do is use an SSL server but that wont
protect the system from users with virii/trojans installed on their
machine.


Oh by the way the user shouldn't be able to access any variables in
$_SESSION unless your code prints them to the screen

Regards,
Andrew Crowe

"Golf Nut" <trippsathyperc oncom-golfnut@yahoo.c om> wrote in message
news:_LKsc.8868 $Tn6.3252@newsr ead1.news.pas.e arthlink.net...[color=blue]
> hello all!
>
> I would like to create a session class which would transparently handle
> sessions as well as serialize, encode and compute an md5 hash of all
> $_REQUEST information. This would essentially intercept all $_GET strings
> and $_POST data.
>
> I would envision upon session creation (in the session class constructor)
> that a random string secret would be created that would be saved to
> $_SESSION['secret'] for example. I would take all the $_REQUEST data,
> base64_encode() it, then serialize it and perform an md5() on it
> contatenated with the secret. The base64_encoded serialized data would be
> saved along with the hash in $_SESSION.
>
> I guess I'm having a hard time conceptualizing this, much less explain[/color]
it. I[color=blue]
> hope someone can understand what I'm trying to do. Basically, I want to
> ensure that any POST and GET data isn't hijacked or tampered with, which
> would be verified upon using the passed data by verifying against the[/color]
hash.[color=blue]
> Perhaps the secret shouldn't be put in $_SESSION, since a user could
> potentially see this? Is there somewhere else I could store this?
>
> I am also doing this to make sure that, if in my code I'm performing[/color]
simple[color=blue]
> functions like mysite.com?acti on=edit&id=55, that someone doesn't
> arbitrarily mess with the id or action, since this URL would be rewritten
> and/or passed solely using the GET string in the $_SESSION as described
> above.
>
> Anyone have any ideas, comments or suggestions as to what I should do?
>
> TIA!
>
> -GN
>
>
>[/color]

actually thinking about it

What you could do is add a hash to any links, eg.

<a href="mysite.co m?action=edit&i d=55&hash=74F49 80E2938CDF">

This would be a quick way of stopping users editing the id parameter, but
you couldn't use it to validate any user form data

--
Regards,
Andrew Crowe

Re: actually thinking about it

Andrew,

Thanks for your thoughts and comments!

What you're talking about below is actually what I'm working on. Below is
some sample code from a class I've created:


function pc_encode($data )

{

$secret = $_SESSION["secret"];


$data = base64_encode(s erialize($data) );

$hash = md5($this->$secret . $data);


return array($data, $hash);

}


function pc_decode($data , $hash)

{

$secret = $_SESSION["secret"];


if (!empty($data) && !empty($hash))

{

if (md5($this->$secret . $data) == $hash)

{

return unserialize(bas e64_decode($dat a));

}

else

{

error_log("Vald ation Error: data has been modified!!");

return false;

}

}


return false;

}


function MakeGetString($ string)

{

list($data,$has h) = $this->pc_encode($str ing);


$getstring = "d=$data&h=$has h";


return $getstring;

}


function CheckGetString( )

{

$data = $_GET['d'];

$hash = $_GET['h'];


if (! $data = $this->pc_decode($dat a, $hash))

return false;

else

return $data;

}

And now some code that's actually on the php script page (mind you I'm using
Smarty templating). Remember this is a rough rendition before profiling and
cleaning up, so excuse the messy code! :)



$getstringarray = array('m','a',' d','s');

$newstringarray = array();

foreach ($getstringarra y as $gmode) {

$newstring = $gmode;

$encstring = $insurancequote lib->MakeGetString( $newstring);

$newstringarray[$gmode] = $encstring;

}

print_r($newstr ingarray);

$smarty->assign('getstr ing',$newstring array);

Then I use the Smarty template to, in this case, have the following in my
link: <a href=page.php?{ $getstring.m}> for example. I'm using a random
string using time(), etc., to create the $secret used in the code above and
save it in $_SESSION["secret"]. I would like to extend this to encapsulate
post data as well, i suppose saving it to hidden form fields using d and h
as above for GET data, the d field containing the serialized data and h the
hash.

Any thoughts about this? Again, TIA!!

GN


"Andrew Crowe" <andrewcrowe_uk @yahoo.co.uk> wrote in message
news:40b389c2$0 $8110$afc38c87@ news.easynet.co .uk...[color=blue]
> What you could do is add a hash to any links, eg.
>
> <a href="mysite.co m?action=edit&i d=55&hash=74F49 80E2938CDF">
>
> This would be a quick way of stopping users editing the id parameter, but
> you couldn't use it to validate any user form data
>
> --
> Regards,
> Andrew Crowe
>
>[/color]

Re: want to create a session class

"Golf Nut" <trippsathyperc oncom-golfnut@yahoo.c om> wrote in message
news:_LKsc.8868 $Tn6.3252@newsr ead1.news.pas.e arthlink.net...[color=blue]
>
> I am also doing this to make sure that, if in my code I'm performing[/color]
simple[color=blue]
> functions like mysite.com?acti on=edit&id=55, that someone doesn't
> arbitrarily mess with the id or action, since this URL would be rewritten
> and/or passed solely using the GET string in the $_SESSION as described
> above.[/color]

You don't need to do any of that any secret or validation stuff at all.
Since you're relying on session, just store the variables in the session and
not pass the data through GET. Example:

echo '<a href="/somescript.php? ' . SaveGetParam("a ction=edit&id=5 5") .
'">Edit</a>';

function SaveGetParam($g et) {
$md5 = md5($get);
$_SESSION['SAVED_GET_PARA M'][$md5] = $get;
return "key=$md5";
}

function RestoreGetParam () {
$md5 = $_GET['key'];
$get = $_SESSION['SAVED_GET_PARA M'][$md5];
parse_str($get, $_GET);
}

Re: want to create a session class

Chung,

Thanks for the fantastic advice! It works like a charm - I don't know why
this didn't occur to me before!

Now I suppose what I can do is create a marshalling script of sorts that
handles all redirects and I can actually incorporate the actual script to
run within the encoded string, e.g.,
SaveGetParam("s cript=users.php &action=edit&id =100") and then let the
marshall script reference (e..g, redirect.php? . SaveGet.. . .) invoke the
script to execute.

How would you suggest to incoporate this methodology into the subsequent
edit form which would contain post data and subsequently the id of the
current record? Something like <input type=hidden name=id
value="SaveGetP aram("id=100")" >? The invoked form method would then parse
this value and perform the necessary function, corret?

Thanks again!

Regards,

GN

"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message
news:ocGdncZCRL CMdy7d4p2dnA@co mcast.com...[color=blue]
> "Golf Nut" <trippsathyperc oncom-golfnut@yahoo.c om> wrote in message
> news:_LKsc.8868 $Tn6.3252@newsr ead1.news.pas.e arthlink.net...[color=green]
> >
> > I am also doing this to make sure that, if in my code I'm performing[/color]
> simple[color=green]
> > functions like mysite.com?acti on=edit&id=55, that someone doesn't
> > arbitrarily mess with the id or action, since this URL would be[/color][/color]
rewritten[color=blue][color=green]
> > and/or passed solely using the GET string in the $_SESSION as described
> > above.[/color]
>
> You don't need to do any of that any secret or validation stuff at all.
> Since you're relying on session, just store the variables in the session[/color]
and[color=blue]
> not pass the data through GET. Example:
>
> echo '<a href="/somescript.php? ' . SaveGetParam("a ction=edit&id=5 5") .
> '">Edit</a>';
>
> function SaveGetParam($g et) {
> $md5 = md5($get);
> $_SESSION['SAVED_GET_PARA M'][$md5] = $get;
> return "key=$md5";
> }
>
> function RestoreGetParam () {
> $md5 = $_GET['key'];
> $get = $_SESSION['SAVED_GET_PARA M'][$md5];
> parse_str($get, $_GET);
> }
>
>
>[/color]