duanmei4149 2011-07-27 07:16
浏览 72
已采纳

混淆(如果有的话)$ _SESSION和$ _COOKIE变量?

Hi folks would really appreciate your help in answering this rather involved question. Please don't dismiss me on length, I promise it's an easy to comprehend read!

When and how should you obfuscate (if at all) $_SESSION and $_COOKIE variables in context to login.php and login_validation.php for the following membership based website?

This membership based website is written in php and uses mysql as its relational database.

login.php

<?php
//Connect to database
$email = $_POST['email'];   //from a text field
$password = $_POST['password']; //from a password field
$password= md5($password);
$stayLoggedIn= $_POST['stayLoggedIn'];  //from a checkbox, value="yes" for checked, value="no" for unchecked

$sql = "SELECT id 
        FROM users
        WHERE email='$email' AND password='$password'";

$query=mysql_query($sql);

if(mysql_num_rows($query)==1){
    $row = mysql_fetch_array($query);
    $id = $row["id"];   
    $encodedID_session= base64_encode("iofj4983rn9dh83$id");
    $_SESSION['id'] =$encodedID_session;

    if($stayLoggedIn== 'yes'){
        $encodedID_cookie=base64_encode("dj02359t5ng842$id");
        setcookie("idCookie", $encodedID_cookie, time()+60*60*24*7, "/");
        setcookie("passwordCookie", $password, time()+60*60*24*7, "/");
    }
 }
?>

He has a file called login_validation.php which goes at the top of every single page of the website (except login.php).

login_validation.php

first it decodes the session and cookie variables if they are set (example for decoding session variable below)

$decodedID = base64_decode($_SESSION['id']);
$array = explode("iofj4983rn9dh83", $decodedID);
$id = $array[1];

Then it does only one of the following:

  • if the session AND cookie are not set it displays the header "You are not logged in"
  • if the session is set, it queries mysql to find the name of the person in the same row as his or her id and displays the personalized header "You are logged in, welcome Bonzo!"
  • if the session is not set but the cookies are set (ex. user selected stayLoggedIn, shut down his computer, and opened up a fresh browser) it queries mysql to find the name of the person in the same row as his or her id and displays the personalized header "You are logged in, welcome Bonzo!"

The developer has done a few things which I left me a little confused like obfuscating a session variable, or obfuscating two (instead of one) cookie. Also his method of obfuscation using base64 seems vulnerable to threat if someone got a hold of his nonsense strings he appends.

When and how should you obfuscate (if at all) $_SESSION and $_COOKIE variables in context to login.php and login_validation.php for this membership based website?

Thank you, thank you!

EDIT: Just to clarify I did not pay anyone for this code, instead I'm trying to learn php and got this code from a php tutorial which looked like it could be improved.

EDIT 2: The password is now hashed before validation

  • 写回答

1条回答 默认 最新

  • duanli12176 2011-07-27 07:33
    关注

    You don't need to obfuscate anything stored in the _SESSION variable. It is not sent to the client, so you can trust it with sensitive information.

    I would recommend that you generate and store a unique authentication token for each logged in user. PHP will maintain the session even after a user has logged out (PHP doesn't know about "logging in" and "logging out"), so keep the idCookie and store it's value along with the user id, for example:

    if ($stayLoggedIn) {
    $token = sha256(generateRandomNumber());
    $_SESSION["token"] = $token;
    $_SESSION["userid"] = $id;
    setcookie("authenticationtoken", $token, ...)
}

    When you are verifying authentication check that the "authenticationtoken" cookie matches the stored session variable. The authentication token must be random and never re-used. When a user logs out unset the session's "token" and "userid" variables.

    The way you have it right now means an attacker can watch the cookies going past over the wire and do a simple reverse md5 lookup (rainbow tables for alphanumeric strings are pretty easy to generate) to obtain a user's password. The attacker can also easily guess other users' session ids.

    Remember to use https everywhere to prevent cookie stealing. If you are sending authentication tokens over http then you might as well not bother even checking passwords (think Firesheep).

    Also, and this is important, don't store cleartext passwords in your database. You should use something like bcrypt (there's a function for it in PHP) for password storage. If an attacker compromises your database then they have obtained all your users' passwords. This is A Bad Thing (think Playstation Network).

    As important: Make sure you sanitize user input. Don't just pass user input straight to the database. You need to properly escape any special SQL characters, otherwise you are vulnerable to SQL injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)