TalkPHP - View Single Post

Wildhoney · 04-04-2008, 09:01 PM

I wouldn't recommend storing the username and password because of cookie sniffing. However, if you're wanting to go down that route then store the session ID. Although session IDs are still susceptible to cookie sniffing, you can try your best to make it much more difficult to takeover a session that isn't yours. This is done by creating a fingerprint based on data you KNOW exists, such as the IP address. You can also add in optional parameters such as the user agent.

I have wrote us a basic class for the very purpose of resuming sessions. The cookie remains active for only an hour in this example, and so if a user doesn't login for an hour then the cookie will expire. It can be used like so:

php Code:

$pCookie = TalkPHP_Cookie::restore();

if(TalkPHP_Cookie::restore())
{
    session_id($pCookie->session_id);
    printf('Welcome back, %s', $_SESSION['username']);
}
else
{
    $_SESSION['username'] = 'Wildhoney';
    TalkPHP_Cookie::save();
    printf('Welcome, %s', $_SESSION['username']);
}

You should be able to close your browser and then return to the page. The class should pick up on the attempt to restore the session, and as long as your IP address matches the saved IP address, it will do just that.

I've not put the class through any rigorous tests. That's entirely up to you if you decide to use it

! It should say "Welcome back, Wildhoney" once the session has been restored. You won't want to restore the session on every page click and so that's where your own function would come in, to see if the user is already logged in or not.

php Code:

class TalkPHP_Cookie
{
    const COOKIE_NAME = 'talkphp_cookie';
    
    public static function save(array $aData = array())
    {
        @session_start();
        
        $aData['session_id'] = session_id();
        $aData['fingerprint'] = md5($_SERVER['REMOTE_ADDR']);
        
        setcookie(self::COOKIE_NAME, serialize($aData), time() + 3600, '/');
    }
    
    public static function restore()
    {
        @session_start();
        
        if(isset($_COOKIE[self::COOKIE_NAME]))
        {
            $szData = $_COOKIE[self::COOKIE_NAME];
            $pCookie = (object) @unserialize($szData);
            
            if(!$pCookie)
            {
                return false;
            }
            
            if(!isset($pCookie->fingerprint) || !isset($pCookie->session_id))
            {
                return false;
            }
            
            if(md5($_SERVER['REMOTE_ADDR']) != $pCookie->fingerprint)
            {
                return false;
            }
            
            return $pCookie;
        }
        
        return false;
    }
}

04-04-2008, 09:01 PM	#6 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,280 Thanks: 90	I wouldn't recommend storing the username and password because of cookie sniffing. However, if you're wanting to go down that route then store the session ID. Although session IDs are still susceptible to cookie sniffing, you can try your best to make it much more difficult to takeover a session that isn't yours. This is done by creating a fingerprint based on data you KNOW exists, such as the IP address. You can also add in optional parameters such as the user agent. I have wrote us a basic class for the very purpose of resuming sessions. The cookie remains active for only an hour in this example, and so if a user doesn't login for an hour then the cookie will expire. It can be used like so: php Code: $pCookie = TalkPHP_Cookie::restore(); if(TalkPHP_Cookie::restore()) { session_id($pCookie->session_id); printf('Welcome back, %s', $_SESSION['username']); } else { $_SESSION['username'] = 'Wildhoney'; TalkPHP_Cookie::save(); printf('Welcome, %s', $_SESSION['username']); } You should be able to close your browser and then return to the page. The class should pick up on the attempt to restore the session, and as long as your IP address matches the saved IP address, it will do just that. I've not put the class through any rigorous tests. That's entirely up to you if you decide to use it ! It should say "Welcome back, Wildhoney" once the session has been restored. You won't want to restore the session on every page click and so that's where your own function would come in, to see if the user is already logged in or not. php Code: class TalkPHP_Cookie { const COOKIE_NAME = 'talkphp_cookie'; public static function save(array $aData = array()) { @session_start(); $aData['session_id'] = session_id(); $aData['fingerprint'] = md5($_SERVER['REMOTE_ADDR']); setcookie(self::COOKIE_NAME, serialize($aData), time() + 3600, '/'); } public static function restore() { @session_start(); if(isset($_COOKIE[self::COOKIE_NAME])) { $szData = $_COOKIE[self::COOKIE_NAME]; $pCookie = (object) @unserialize($szData); if(!$pCookie) { return false; } if(!isset($pCookie->fingerprint) \|\| !isset($pCookie->session_id)) { return false; } if(md5($_SERVER['REMOTE_ADDR']) != $pCookie->fingerprint) { return false; } return $pCookie; } return false; } } __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.