消息
创作中心
duanmei4149 2011-07-26 23:16
浏览 72
已采纳

混淆(如果有的话)$ _SESSION和$ _COOKIE变量?

Hi folks would really appreciate your help in answering this rather involved question. Please don't dismiss me on length, I promise it's an easy to comprehend read!

When and how should you obfuscate (if at all) $_SESSION and $_COOKIE variables in context to login.php and login_validation.php for the following membership based website?

This membership based website is written in php and uses mysql as its relational database.

login.php

  1. <?php
  2. //Connect to database
  3. $email = $_POST['email'];   //from a text field
  4. $password = $_POST['password']; //from a password field
  5. $password= md5($password);
  6. $stayLoggedIn= $_POST['stayLoggedIn'];  //from a checkbox, value="yes" for checked, value="no" for unchecked
  7.  
  8. $sql = "SELECT id 
  9.         FROM users
  10.         WHERE email='$email' AND password='$password'";
  11.  
  12. $query=mysql_query($sql);
  13.  
  14. if(mysql_num_rows($query)==1){
  15.     $row = mysql_fetch_array($query);
  16.     $id = $row["id"];   
  17.     $encodedID_session= base64_encode("iofj4983rn9dh83$id");
  18.     $_SESSION['id'] =$encodedID_session;
  19.  
  20.     if($stayLoggedIn== 'yes'){
  21.         $encodedID_cookie=base64_encode("dj02359t5ng842$id");
  22.         setcookie("idCookie", $encodedID_cookie, time()+60*60*24*7, "/");
  23.         setcookie("passwordCookie", $password, time()+60*60*24*7, "/");
  24.     }
  25.  }
  26. ?>

He has a file called login_validation.php which goes at the top of every single page of the website (except login.php).

login_validation.php

first it decodes the session and cookie variables if they are set (example for decoding session variable below)

  1. $decodedID = base64_decode($_SESSION['id']);
  2. $array = explode("iofj4983rn9dh83", $decodedID);
  3. $id = $array[1];

Then it does only one of the following:

  • if the session AND cookie are not set it displays the header "You are not logged in"
  • if the session is set, it queries mysql to find the name of the person in the same row as his or her id and displays the personalized header "You are logged in, welcome Bonzo!"
  • if the session is not set but the cookies are set (ex. user selected stayLoggedIn, shut down his computer, and opened up a fresh browser) it queries mysql to find the name of the person in the same row as his or her id and displays the personalized header "You are logged in, welcome Bonzo!"

The developer has done a few things which I left me a little confused like obfuscating a session variable, or obfuscating two (instead of one) cookie. Also his method of obfuscation using base64 seems vulnerable to threat if someone got a hold of his nonsense strings he appends.

When and how should you obfuscate (if at all) $_SESSION and $_COOKIE variables in context to login.php and login_validation.php for this membership based website?

Thank you, thank you!

EDIT: Just to clarify I did not pay anyone for this code, instead I'm trying to learn php and got this code from a php tutorial which looked like it could be improved.

EDIT 2: The password is now hashed before validation

展开全部

  • 写回答

1条回答 默认 最新

  • duanli12176 2011-07-26 23:33
    关注

    You don't need to obfuscate anything stored in the _SESSION variable. It is not sent to the client, so you can trust it with sensitive information.

    I would recommend that you generate and store a unique authentication token for each logged in user. PHP will maintain the session even after a user has logged out (PHP doesn't know about "logging in" and "logging out"), so keep the idCookie and store it's value along with the user id, for example:

    1. if ($stayLoggedIn) {
    2.     $token = sha256(generateRandomNumber());
    3.     $_SESSION["token"] = $token;
    4.     $_SESSION["userid"] = $id;
    5.     setcookie("authenticationtoken", $token, ...)
    6. }

    When you are verifying authentication check that the "authenticationtoken" cookie matches the stored session variable. The authentication token must be random and never re-used. When a user logs out unset the session's "token" and "userid" variables.

    The way you have it right now means an attacker can watch the cookies going past over the wire and do a simple reverse md5 lookup (rainbow tables for alphanumeric strings are pretty easy to generate) to obtain a user's password. The attacker can also easily guess other users' session ids.

    Remember to use https everywhere to prevent cookie stealing. If you are sending authentication tokens over http then you might as well not bother even checking passwords (think Firesheep).

    Also, and this is important, don't store cleartext passwords in your database. You should use something like bcrypt (there's a function for it in PHP) for password storage. If an attacker compromises your database then they have obtained all your users' passwords. This is A Bad Thing (think Playstation Network).

    As important: Make sure you sanitize user input. Don't just pass user input straight to the database. You need to properly escape any special SQL characters, otherwise you are vulnerable to SQL injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

 客服 返回
顶部