Prevent session hijacking, fixation, injection, etc












1














I'm creating a login system and I have been reading a lot about the security measures needed to prevent session hijacking, fixation, and injection attacks, etc. These two Stack Overflow posts were particularly helpful: Link Link 2



Below is my login system so far. Have I sufficiently protected myself against attacks?



  <?php 

// convert password to hash
function passwordHash($string) {
return password_hash($string, PASSWORD_DEFAULT);
}

// compare password to hash
function passwordVerify($string, $hash) {
return password_verify($string, $hash);
}


// authenticate login password
function login($submitted_password, $password, $username) {
global $link;

if(passwordVerify($submitted_password, $password)) {
ini_set('session.use_trans_sid', FALSE);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', TRUE);
ini_set('session.cookie_httponly', TRUE);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.cookie_secure', TRUE);
session_start();

$link->query("SELECT id, password, username, user_level FROM users WHERE username = :username");
$link->bind(':username', $username);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$id = $row['id'];
$username = $row['username'];
$user_level = $row['user_level'];

$_SESSION['userID'] = $id;
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $user_level;
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];

// store in db to use in page_protect()
$user_ip = $_SERVER['REMOTE_ADDR'];
$useragent_hash = passwordHash($_SESSION['HTTP_USER_AGENT']);

$link->query("UPDATE users SET user_ip = :user_ip, useragent_hash = :useragent_hash WHERE id = :id");
$link->bind(':user_ip', $user_ip);
$link->bind(':useragent_hash', $useragent_hash);
$link->bind(':id', $id);
$link->execute();
$link->closeStream();
header("Location: dashboard.php");
exit();
} else {
$error = "Username or password error"; // password fails
}
}


// function called by every page requiring you to be logged in
function page_protect() {
global $link;

if (session_status() == PHP_SESSION_NONE) {
session_start();
}

if(!isset($_SESSION['user_ip']) || $_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR']) {
logout();
exit();
}

// referenced in question #5 below
if (!isset($_SESSION['HTTP_USER_AGENT']) || $_SERVER['HTTP_USER_AGENT'] != $_SESSION['HTTP_USER_AGENT']) {
logout();
exit();
}

// check that IP address/useragent hash stored in db at login match current session variables
$link->query("SELECT useragent_hash, user_ip FROM users WHERE username = :username");
$link->bind(':username', $_SESSION['username']);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$user_ip = $row['user_ip'];
$useragent_hash = $row['useragent_hash'];

if($_SESSION['user_ip'] != $user_ip || !passwordVerify($_SESSION['HTTP_USER_AGENT'], $useragent_hash)) {
logout();
exit();
}

session_regenerate_id(true);
}


function logout() {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

unset($_SESSION);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}

?>


1) Am I missing anything or does anything look wrong?



2) I'm not sure I'm using session_regenerate_id() in a good spot. I know it needs to be called periodically, so I figured every time a protected page is called would be good.



3) All of the ini_set's only appear before the session_start() in the login function. However, the top of each page protected with page_protect() has a session_start(). Should it be preceded by all of the same ini_set's on every page, or once they're set during the initial login, they stay set?



4) Should I remove this line? ini_set('session.cookie_lifetime', 1200); That would require the user to login again after 20 minutes. I think it would be good to log the user out after 20 minutes of inactivity, but not after 20 minutes of moving around the site.



5) In page_protect, when I check the ip and user agent hash, should I use && instead of ||? If both conditions are met, something is definitely amiss.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Welcome to Code Review! Can you just post your code, as is, without inserting so much of your commentary into it? It's hard to see the context of the code you're asking us to review, otherwise.
    – 200_success
    2 hours ago










  • You are allowed to edit your post multiple times, but it's generally discouraged because it may make potential answers outdated, and it's not allowed after your question receives an answer. If you're still editing the code in question, you might consider deleting this question and then undeleting it when you've arrived at your final version.
    – Graham
    53 mins ago










  • Done! Mostly for readability.
    – John
    51 mins ago
















1














I'm creating a login system and I have been reading a lot about the security measures needed to prevent session hijacking, fixation, and injection attacks, etc. These two Stack Overflow posts were particularly helpful: Link Link 2



Below is my login system so far. Have I sufficiently protected myself against attacks?



  <?php 

// convert password to hash
function passwordHash($string) {
return password_hash($string, PASSWORD_DEFAULT);
}

// compare password to hash
function passwordVerify($string, $hash) {
return password_verify($string, $hash);
}


// authenticate login password
function login($submitted_password, $password, $username) {
global $link;

if(passwordVerify($submitted_password, $password)) {
ini_set('session.use_trans_sid', FALSE);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', TRUE);
ini_set('session.cookie_httponly', TRUE);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.cookie_secure', TRUE);
session_start();

$link->query("SELECT id, password, username, user_level FROM users WHERE username = :username");
$link->bind(':username', $username);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$id = $row['id'];
$username = $row['username'];
$user_level = $row['user_level'];

$_SESSION['userID'] = $id;
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $user_level;
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];

// store in db to use in page_protect()
$user_ip = $_SERVER['REMOTE_ADDR'];
$useragent_hash = passwordHash($_SESSION['HTTP_USER_AGENT']);

$link->query("UPDATE users SET user_ip = :user_ip, useragent_hash = :useragent_hash WHERE id = :id");
$link->bind(':user_ip', $user_ip);
$link->bind(':useragent_hash', $useragent_hash);
$link->bind(':id', $id);
$link->execute();
$link->closeStream();
header("Location: dashboard.php");
exit();
} else {
$error = "Username or password error"; // password fails
}
}


// function called by every page requiring you to be logged in
function page_protect() {
global $link;

if (session_status() == PHP_SESSION_NONE) {
session_start();
}

if(!isset($_SESSION['user_ip']) || $_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR']) {
logout();
exit();
}

// referenced in question #5 below
if (!isset($_SESSION['HTTP_USER_AGENT']) || $_SERVER['HTTP_USER_AGENT'] != $_SESSION['HTTP_USER_AGENT']) {
logout();
exit();
}

// check that IP address/useragent hash stored in db at login match current session variables
$link->query("SELECT useragent_hash, user_ip FROM users WHERE username = :username");
$link->bind(':username', $_SESSION['username']);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$user_ip = $row['user_ip'];
$useragent_hash = $row['useragent_hash'];

if($_SESSION['user_ip'] != $user_ip || !passwordVerify($_SESSION['HTTP_USER_AGENT'], $useragent_hash)) {
logout();
exit();
}

session_regenerate_id(true);
}


function logout() {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

unset($_SESSION);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}

?>


1) Am I missing anything or does anything look wrong?



2) I'm not sure I'm using session_regenerate_id() in a good spot. I know it needs to be called periodically, so I figured every time a protected page is called would be good.



3) All of the ini_set's only appear before the session_start() in the login function. However, the top of each page protected with page_protect() has a session_start(). Should it be preceded by all of the same ini_set's on every page, or once they're set during the initial login, they stay set?



4) Should I remove this line? ini_set('session.cookie_lifetime', 1200); That would require the user to login again after 20 minutes. I think it would be good to log the user out after 20 minutes of inactivity, but not after 20 minutes of moving around the site.



5) In page_protect, when I check the ip and user agent hash, should I use && instead of ||? If both conditions are met, something is definitely amiss.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Welcome to Code Review! Can you just post your code, as is, without inserting so much of your commentary into it? It's hard to see the context of the code you're asking us to review, otherwise.
    – 200_success
    2 hours ago










  • You are allowed to edit your post multiple times, but it's generally discouraged because it may make potential answers outdated, and it's not allowed after your question receives an answer. If you're still editing the code in question, you might consider deleting this question and then undeleting it when you've arrived at your final version.
    – Graham
    53 mins ago










  • Done! Mostly for readability.
    – John
    51 mins ago














1












1








1







I'm creating a login system and I have been reading a lot about the security measures needed to prevent session hijacking, fixation, and injection attacks, etc. These two Stack Overflow posts were particularly helpful: Link Link 2



Below is my login system so far. Have I sufficiently protected myself against attacks?



  <?php 

// convert password to hash
function passwordHash($string) {
return password_hash($string, PASSWORD_DEFAULT);
}

// compare password to hash
function passwordVerify($string, $hash) {
return password_verify($string, $hash);
}


// authenticate login password
function login($submitted_password, $password, $username) {
global $link;

if(passwordVerify($submitted_password, $password)) {
ini_set('session.use_trans_sid', FALSE);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', TRUE);
ini_set('session.cookie_httponly', TRUE);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.cookie_secure', TRUE);
session_start();

$link->query("SELECT id, password, username, user_level FROM users WHERE username = :username");
$link->bind(':username', $username);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$id = $row['id'];
$username = $row['username'];
$user_level = $row['user_level'];

$_SESSION['userID'] = $id;
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $user_level;
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];

// store in db to use in page_protect()
$user_ip = $_SERVER['REMOTE_ADDR'];
$useragent_hash = passwordHash($_SESSION['HTTP_USER_AGENT']);

$link->query("UPDATE users SET user_ip = :user_ip, useragent_hash = :useragent_hash WHERE id = :id");
$link->bind(':user_ip', $user_ip);
$link->bind(':useragent_hash', $useragent_hash);
$link->bind(':id', $id);
$link->execute();
$link->closeStream();
header("Location: dashboard.php");
exit();
} else {
$error = "Username or password error"; // password fails
}
}


// function called by every page requiring you to be logged in
function page_protect() {
global $link;

if (session_status() == PHP_SESSION_NONE) {
session_start();
}

if(!isset($_SESSION['user_ip']) || $_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR']) {
logout();
exit();
}

// referenced in question #5 below
if (!isset($_SESSION['HTTP_USER_AGENT']) || $_SERVER['HTTP_USER_AGENT'] != $_SESSION['HTTP_USER_AGENT']) {
logout();
exit();
}

// check that IP address/useragent hash stored in db at login match current session variables
$link->query("SELECT useragent_hash, user_ip FROM users WHERE username = :username");
$link->bind(':username', $_SESSION['username']);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$user_ip = $row['user_ip'];
$useragent_hash = $row['useragent_hash'];

if($_SESSION['user_ip'] != $user_ip || !passwordVerify($_SESSION['HTTP_USER_AGENT'], $useragent_hash)) {
logout();
exit();
}

session_regenerate_id(true);
}


function logout() {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

unset($_SESSION);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}

?>


1) Am I missing anything or does anything look wrong?



2) I'm not sure I'm using session_regenerate_id() in a good spot. I know it needs to be called periodically, so I figured every time a protected page is called would be good.



3) All of the ini_set's only appear before the session_start() in the login function. However, the top of each page protected with page_protect() has a session_start(). Should it be preceded by all of the same ini_set's on every page, or once they're set during the initial login, they stay set?



4) Should I remove this line? ini_set('session.cookie_lifetime', 1200); That would require the user to login again after 20 minutes. I think it would be good to log the user out after 20 minutes of inactivity, but not after 20 minutes of moving around the site.



5) In page_protect, when I check the ip and user agent hash, should I use && instead of ||? If both conditions are met, something is definitely amiss.










share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I'm creating a login system and I have been reading a lot about the security measures needed to prevent session hijacking, fixation, and injection attacks, etc. These two Stack Overflow posts were particularly helpful: Link Link 2



Below is my login system so far. Have I sufficiently protected myself against attacks?



  <?php 

// convert password to hash
function passwordHash($string) {
return password_hash($string, PASSWORD_DEFAULT);
}

// compare password to hash
function passwordVerify($string, $hash) {
return password_verify($string, $hash);
}


// authenticate login password
function login($submitted_password, $password, $username) {
global $link;

if(passwordVerify($submitted_password, $password)) {
ini_set('session.use_trans_sid', FALSE);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', TRUE);
ini_set('session.cookie_httponly', TRUE);
ini_set('session.cookie_lifetime', 1200);
ini_set('session.cookie_secure', TRUE);
session_start();

$link->query("SELECT id, password, username, user_level FROM users WHERE username = :username");
$link->bind(':username', $username);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$id = $row['id'];
$username = $row['username'];
$user_level = $row['user_level'];

$_SESSION['userID'] = $id;
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $user_level;
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];

// store in db to use in page_protect()
$user_ip = $_SERVER['REMOTE_ADDR'];
$useragent_hash = passwordHash($_SESSION['HTTP_USER_AGENT']);

$link->query("UPDATE users SET user_ip = :user_ip, useragent_hash = :useragent_hash WHERE id = :id");
$link->bind(':user_ip', $user_ip);
$link->bind(':useragent_hash', $useragent_hash);
$link->bind(':id', $id);
$link->execute();
$link->closeStream();
header("Location: dashboard.php");
exit();
} else {
$error = "Username or password error"; // password fails
}
}


// function called by every page requiring you to be logged in
function page_protect() {
global $link;

if (session_status() == PHP_SESSION_NONE) {
session_start();
}

if(!isset($_SESSION['user_ip']) || $_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR']) {
logout();
exit();
}

// referenced in question #5 below
if (!isset($_SESSION['HTTP_USER_AGENT']) || $_SERVER['HTTP_USER_AGENT'] != $_SESSION['HTTP_USER_AGENT']) {
logout();
exit();
}

// check that IP address/useragent hash stored in db at login match current session variables
$link->query("SELECT useragent_hash, user_ip FROM users WHERE username = :username");
$link->bind(':username', $_SESSION['username']);
$link->execute();
$row = $link->getOneRow();
$link->closeStream();

$user_ip = $row['user_ip'];
$useragent_hash = $row['useragent_hash'];

if($_SESSION['user_ip'] != $user_ip || !passwordVerify($_SESSION['HTTP_USER_AGENT'], $useragent_hash)) {
logout();
exit();
}

session_regenerate_id(true);
}


function logout() {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

unset($_SESSION);
session_unset();
session_destroy();
header("Location: index.php");
exit();
}

?>


1) Am I missing anything or does anything look wrong?



2) I'm not sure I'm using session_regenerate_id() in a good spot. I know it needs to be called periodically, so I figured every time a protected page is called would be good.



3) All of the ini_set's only appear before the session_start() in the login function. However, the top of each page protected with page_protect() has a session_start(). Should it be preceded by all of the same ini_set's on every page, or once they're set during the initial login, they stay set?



4) Should I remove this line? ini_set('session.cookie_lifetime', 1200); That would require the user to login again after 20 minutes. I think it would be good to log the user out after 20 minutes of inactivity, but not after 20 minutes of moving around the site.



5) In page_protect, when I check the ip and user agent hash, should I use && instead of ||? If both conditions are met, something is definitely amiss.







php security






share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 59 mins ago





















New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 hours ago









John

62




62




New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1




    Welcome to Code Review! Can you just post your code, as is, without inserting so much of your commentary into it? It's hard to see the context of the code you're asking us to review, otherwise.
    – 200_success
    2 hours ago










  • You are allowed to edit your post multiple times, but it's generally discouraged because it may make potential answers outdated, and it's not allowed after your question receives an answer. If you're still editing the code in question, you might consider deleting this question and then undeleting it when you've arrived at your final version.
    – Graham
    53 mins ago










  • Done! Mostly for readability.
    – John
    51 mins ago














  • 1




    Welcome to Code Review! Can you just post your code, as is, without inserting so much of your commentary into it? It's hard to see the context of the code you're asking us to review, otherwise.
    – 200_success
    2 hours ago










  • You are allowed to edit your post multiple times, but it's generally discouraged because it may make potential answers outdated, and it's not allowed after your question receives an answer. If you're still editing the code in question, you might consider deleting this question and then undeleting it when you've arrived at your final version.
    – Graham
    53 mins ago










  • Done! Mostly for readability.
    – John
    51 mins ago








1




1




Welcome to Code Review! Can you just post your code, as is, without inserting so much of your commentary into it? It's hard to see the context of the code you're asking us to review, otherwise.
– 200_success
2 hours ago




Welcome to Code Review! Can you just post your code, as is, without inserting so much of your commentary into it? It's hard to see the context of the code you're asking us to review, otherwise.
– 200_success
2 hours ago












You are allowed to edit your post multiple times, but it's generally discouraged because it may make potential answers outdated, and it's not allowed after your question receives an answer. If you're still editing the code in question, you might consider deleting this question and then undeleting it when you've arrived at your final version.
– Graham
53 mins ago




You are allowed to edit your post multiple times, but it's generally discouraged because it may make potential answers outdated, and it's not allowed after your question receives an answer. If you're still editing the code in question, you might consider deleting this question and then undeleting it when you've arrived at your final version.
– Graham
53 mins ago












Done! Mostly for readability.
– John
51 mins ago




Done! Mostly for readability.
– John
51 mins ago















active

oldest

votes











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






John is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f210584%2fprevent-session-hijacking-fixation-injection-etc%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes








John is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















John is a new contributor. Be nice, and check out our Code of Conduct.













John is a new contributor. Be nice, and check out our Code of Conduct.












John is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f210584%2fprevent-session-hijacking-fixation-injection-etc%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Morgemoulin

Scott Moir

Souastre