Community

The community grew out of a desire to give readers some extra features as a thank you for their contributions. Join us to syndicate your own blog on the front page, display your comment history and blog posts via your profile, and reserve your name.

Latest Comments

1. Sujoy's GravatarSujoy said:

Chris, this is the first time I'm visiting your blog! Your 2009 Highlights is really great! Fantastic work! I'm a newbie you can say in PHP and need to learn a lot! So your blog seems one of the useful resources for me! Please feel free to visit my blog http://hiredevelopers.wordpress.com/

Posted In 2009 Highlights.

Mon, 08 Feb 2010 at 09:50:01 GMT

2. Giovanni's GravatarGiovanni said:

Hi Chris!

First of all, my persona thanks for all your article about PHP security! it's really usefull and easy to read ;)

i have a question about a portion of che code that you wrote

if (md5($_SERVER['HTTP_USER_AGENT']) != $_SESSION['HTTP_USER_AGENT'])

so, can i be sure that HTTP_USER_AGENT is always send by the browser? why not use the IP of the user, with $_SERVER['REMOTE_ADDR']?

and when, could be more sure if i save it in a db and then check se session value with the one in the db?

Thanks for all!!!

Giovanni

Posted In The Truth about Sessions.

Wed, 20 Jan 2010 at 09:33:31 GMT

3. Chris Shiflett's GravatarChris Shiflett said:

Thanks, John. Friendly and trustworthy are high compliments. Much appreciated. :-)

Sorry about the OpenID implementation, Stelian. I'm busy right now with Analog, so fixing that's not a priority, but I do plan to fix it pretty soon. I'll try to also add a way for people to claim old comments when I do, or I can at least do it manually for you.

I love Arsenal's style, Radoslav, and it was super fun to be able to see a match. I don't own a TV, and I rarely get the chance to see them play at all, so it was a real treat to see them in person. That was my first (and so far, only) Premiership match.

Thanks for commenting. :-)

Posted In 2009 Highlights.

Sat, 16 Jan 2010 at 23:42:04 GMT

4. Eric B's GravatarEric B said:

Hi Chris,

Thanks for this clean, concise article on this topic. You are a life saver!

-E

Posted In Guru Speak: Storing Sessions in a Database.

Fri, 15 Jan 2010 at 18:53:11 GMT

5. Radoslav Stankov's GravatarRadoslav Stankov said:

wow, I looks like 2009 wasn't very boring year.

p.s. I didn't know you too are Arsenal fan.

Posted In 2009 Highlights.

Fri, 15 Jan 2010 at 15:47:34 GMT

6. Stelian's GravatarStelian said:

Great and full year. Thank you for the last seven years of php insight and looking forward for an ever greater 2010,

PS: fix the openIDs please and you have a pending mail from me, heh :)

Posted In 2009 Highlights.

Fri, 15 Jan 2010 at 07:38:33 GMT

7. John Herren's GravatarJohn Herren said:

Kudos, Chris. It's so good to have friendly, trustworthy people like yourself to learn from. Best of luck with Analog and the new year.

Posted In 2009 Highlights.

Fri, 15 Jan 2010 at 06:21:40 GMT

8. Chris Shiflett's GravatarChris Shiflett said:

Hi Jhon,

I'm using a simple technique I describe in another post:

Allowing HTML and Preventing XSS

Hope that helps!

Posted In XSS Cheatsheet.

Fri, 15 Jan 2010 at 02:38:34 GMT

9. Chris Shiflett's GravatarChris Shiflett said:

Hi again, mh,

I see what you're thinking now. Creating a fingerprint isn't very useful if you're just going to use it to make sure some HTTP headers remain consistent. For that, you can simply compare those values, and there's no reason to use md5() or salting at all.

This technique, which is valid but a little outdated, is to create a fingerprint that is stored on both the client and the server. It is passed using a different method of propagation than the cookie, so that even if the cookie and all HTTP headers are captured by an attacker, they cannot be replayed to hijack the session. Something extra is needed.

The real purpose of the article is to help you understand how sessions work, what some of the potential weaknesses are, and how you can enhance it slightly to complicate some of the more common attacks.

I'm more fond of trending these days, where you record trends in a particular user's requests and use that to detect anomalies in behavior. If you get the balance right, session hijacking becomes very difficult, and legitimate users aren't constantly being prompted for their password.

Hope this helps.

Posted In The Truth about Sessions.

Fri, 15 Jan 2010 at 02:29:23 GMT

10. mh's Gravatarmh said:

No, but it seems you are.

Okay, then please help me to understand you right. I made several points that you might want to comment on.

Let's start with my first point, storage of session data. You suggest using $_SESSION['fingerprint'] = md5($fingerprint . session_id()); and your article assumes, this data is stored on the client's side. I'd say, this assumption is wrong. The fingerprint data is stored on the server.

Posted In The Truth about Sessions.

Mon, 11 Jan 2010 at 06:34:58 GMT

Join Us / Log In

  • Syndicate your blog and claim your identity.
  • Sign Up

Already a Member?

Members

Work and Books

Analog Essential PHP Security HTTP Developers Handbook