PHP Classes

Secure Session: Prevent session hijacking or session fixation

Recommend this page to a friend!
     
  Info   View files Files   Install with Composer Install with Composer   Download Download   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
StarStarStarStar 62%Total: 13,512 All time: 79 This week: 56Up
Version License Categories
secure_session 1.0.0GNU General Publi...User Management, Security
Description 

Author

This class can be used to prevent security attacks known as session hijacking and session fixation.

When a session is initialized the class computes a fingerprint string that takes in account the browser user agent string, the user agent IP address or part of it and a secret word. If the fingerprint value changes, it is very likely that the session was hijacked and it should no longer be accepted.

To prevent session fixation attacks the calls the PHP session_regenerate_id() function so the session identifier changes everytime the session is checked.

Innovation Award
PHP Programming Innovation award nominee
January 2006
Number 2


Prize: One book of choice by O'Reilly
Sessions have become one of possible features that can be exploited to perform security attacks to PHP sites.

Sessions are not insecure by themselves, but if they are not used with a certain care, they may be eventually abused by malicious users.

Session hijacking abuses can happen when somebody with privileged network access can sniff traffic that goes to potential victim site. Session fixation abuses can happen when a site uses the same session identifier for the same user before and after he authenticates to log in.

This class provides a solution to prevent these kinds of session abuses to prevent that PHP sites that use sessions become compromised.

Manuel Lemos
Picture of Vagharshak Tozalakyan
Name: Vagharshak Tozalakyan <contact>
Classes: 22 packages by
Country: United States United States
Age: 45
All time rank: 61 in United States United States
Week rank: 212 Down25 in United States United States Down
Innovation award
Innovation award
Nominee: 7x

  Files folder image Files (3)  
File Role Description
Files folder imagesample (2 files)
Plain text file securesession.class.php Class Source

  Files folder image Files (3)  /  sample  
File Role Description
  Accessible without login Plain text file index.php Example Sample
  Accessible without login Plain text file login.php Example Sample

The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page.
Install with Composer Install with Composer
 Version Control Unique User Downloads Download Rankings  
 0%
Total:13,512
This week:0
All time:79
This week:56Up
User Ratings User Comments (7)
 All time
Utility:90%StarStarStarStarStar
Consistency:87%StarStarStarStarStar
Documentation:-
Examples:84%StarStarStarStarStar
Tests:-
Videos:-
Overall:62%StarStarStarStar
Rank:899
 
absolutely great wordk.
13 years ago (Can Berk)
70%StarStarStarStar
Not the most secure way of doing things possible, but provide...
13 years ago (troy knapp)
67%StarStarStarStar
just wanted to say thanks for sharing the hard work(& update)!
14 years ago (James S)
65%StarStarStarStar
Very nicely done.
15 years ago (Michael A. Peters)
70%StarStarStarStar
does not properly handle users behind proxy servers
16 years ago (david saez)
52%StarStarStar
Great script.
16 years ago (Dennis Granger)
70%StarStarStarStar
thanks
16 years ago (calvin)
35%StarStar