Ryanfyfe.com - Sessions/Cookies/Security

Home ⇒ About Me ⇒ Resume ⇒ Knowledge ⇒ E-Commerce ⇒ Sessions/Cookies/Security ⇒

Sessions/Cookies/Security

Managing Security and User based tasks with php's sessions/cookies

Sessions and Cookies are great ways to store short term and long term information. Almost every web-based application today has a need to manage users. Using simple php functions such as md5() (one way hash), sessions, cookies, and a mysql db it is quick and easy to integrate a secure section into any project.

I have the following experience using sessions/cookies:

User Management
User Tracking
Shopping Carts
Custom Stats/Reporting
Session Tables(Mysql)
Custom Templates

Examples: Here are some examples of session/cookie use from this website.

Cookies for Templating (From the css/template section)

*Note - (I used Cookies for this application, so that the user selected style is not lost when the browser is closed (sessions is killed), and will be remembered the next time a user visits the site)

# Sets/Un-sets "$_COOKIE['style']", which defines the template that is used

if($_GET['unset_style']){
	setcookie("style", false, time()+2592000, "/", ".ryanfyfe.com");
	if($_SESSION['last']) 	header("location: ".$_SESSION['last']);
	
} elseif($_GET['set_style']){
	
	setcookie("style", "_".$_GET['set_style'], time()+2592000, "/", ".ryanfyfe.com");
	if($_SESSION['last']) 	header("location: ".$_SESSION['last']);
	
}

Sample Login Script
# Simple Validation of user input against database

if($_POST['username'] && $_POST['password']){

	# Clean Up User Input
	$_POST['password'] = md5(strtolower(trim($_POST['password'])));
	$_POST['username'] = strtolower(trim($_POST['password']));

	# Validate against database
	$query = mysql_query("SELECT password,flag,level,style,last_login 
				from users_table where username='".$_POST['username']."'");
	if($result = mysql_fetch_array($query)){

		if($_POST['password'] == $result['password']){

			# Example Session Setting:
				$_SESSION['logged_in'] = true;
				$_SESSION['style'] = $result['style'];
				$_SESSION['flag'] = $result['flag'];
				$_SESSION['level'] = $result['level'];
				$_SESSION['last_login'] = $_result['last_login'];
				$_SESSION[username] = $_POST[username];

			# Perform Correct User Operation
		} else {
			# Perform Incorrect Details Operation
		}
	} else {
		#Perform  Missing Details Operation
	}
}

Sample Login Validation
# Validate user on secure page visit

	# Set Definitions
	define('_secure_section_', true);
	define('_secure_level_', 1);

	# Check login status
	if(defined('_user_section_') && !$_SESSION[logged_in]) {

		die("Hacking Attempt");

	# Check authorization level
	} elseif($_SESSION['level']< _secure_level_){

		die("You are Un-authorized to view this section");

	} else {

		# User can continue....

	}

Session handling can easily be made more secure by implementing a session table in a db. This further reduces the odds of sessions hacking being hacked, by checking user information, such as their unique session id, against what the server has stored for them.