SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    a little discussion about hashing session.

    Hi

    while making my daily threads reading in the Advanced PHP forum, I discovered this excelent class posted by Xtasy:
    http://www.sitepoint.com/forums/showthread.php?t=170234

    I noticed that sessions are hashed.

    I have still not yet heard about it.

    So here are a few questions:

    Why would I hash sessions?
    Is it really useful?
    What are the problems I might face if I don't hash them?
    etc.

    Thanks a lot for your time and patience

  2. #2
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    62
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey Alex,

    Thanks for the praise of my class.

    For the session variable in my class I wanted a unique 32 character string. I thought that using the PHP rand() function (seeded with the microtime() function) would give me a pretty unique number, but there is also the (rather unlikely) chance that two people may attempt to log in at exactly the same time. To combat that I run the result through the PHP uniqid() function.

    I then took an MD5 hash of this to ensure that this unique string was 32 characters in length. Hope that has explained it a bit.

    Zack

  3. #3
    SitePoint Zealot Pozor's Avatar
    Join Date
    Apr 2004
    Location
    Switzerland
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    to create a hash for a session is a easy way to get a
    session id whitch is likely uniqe on your system, when
    you use some stuff like rand().
    BTW srand isn't needed for PHP after 4.2.0.

    i take some information from the user and rand()
    to create a string for the md5() hash function.

    In my opinion a session is not hashed, only the id is
    created with a particular hash function (md5, sha etc...)

    Its common to have a sesion id who's 32 chartacter long. easy way to get them -> hash functions.

    for a session you need a unique id, however you create it.


    greez Pozor

  4. #4
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So if I follow you correctly, each time a user will be connected to my website, he wikll be assigned a session value, is that it? Or is it just when he logs in if you have an Auth system?

    You hash the session to make sure that you get a unique value. That's the purpose of hashing it right? In this situation, the hash process has nothing to do with the hash of a password that we would protect.

    Did I understand it correctly?

    If you have a few minutes to provide some basic examples I would be very pleased to read your code. I am very interested in this question.



    thanks a lot for your time.

  5. #5
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    62
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, the SessionHandler class that I did is designed to run independantly of an authorisation system (although I would more likely always use it with one), so the session value could be assigned to the user when they view the screen. It is more likely it would be used witht he Auth system and then it would be assigned when they log in.

    The hashing of the session has two purposes. It helps to get a unique session id and it also ensures that this session id is 32 characters long.

    If you tell me a little more about what you would like the examples to show then I will try and russle one up

  6. #6
    SitePoint Zealot Pozor's Avatar
    Join Date
    Apr 2004
    Location
    Switzerland
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    basically you got the main point.
    It depends what you wanna do, how you implement your
    sesionmanagement.
    In my case it runs with an additional auth-system.

    everytime a user connect to my page, a sessionid is created (when the user doesn't have already one)
    first he is anonym until he log in the system.

    you should design a sessionmanagement independent from
    any authsystem, but so that you can easily add one (i did in this way)
    so you can change the auth system without tuching sessionmanagement.

    greez Pozor

    PS: Hashing a password works in the same way like hashing a session, in both cases you have a certain string you wanna hash with the same function.

  7. #7
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks a lot for your replies I will follow your advices.

    Quote Originally Posted by Pozor
    PS: Hashing a password works in the same way like hashing a session, in both cases you have a certain string you wanna hash with the same function.
    But when you have hashed a function, you won't check its un-hashed value against its hashed value, that's what I meant. Hashing a password is mainly done to increase security. You check the users string, once hashed, against the already hashed value stored in your db. In the session hash situation, you just want to make sure that you have a uniqueID, you don't want to check the original value of the session against its hashed value (like in the password scenario) or did I miss something?


  8. #8
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    62
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You got it spot on Alex. We are just hashing to get the unique id. There is no checking against the hashed value in this case.

  9. #9
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Xtasy
    You got it spot on Alex. We are just hashing to get the unique id. There is no checking against the hashed value in this case.
    Ok I just wanted to make sure

    Now that leads to another question. I thought that PHP was generating a unique 32 char string to identify the session, then passed the value to the browser and created at the same time a file on the server, including the session ID in the filename. The browser would then be informed of its session by adding the ID to the query string or by sending it as a cookie. Why then hash the session if PHP is supposed to generate a 32 chars unique string anyways? Did I miss something

  10. #10
    SitePoint Zealot Pozor's Avatar
    Join Date
    Apr 2004
    Location
    Switzerland
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I (and many php developers) fix the lack of security on shared servers.
    on a shared server its possible to get the sessionfiles from other pages...
    thats one of the reason why i do the session stuff by myself.
    Another reason for me is to have control whats going on and to use it easily with other nice stuff i've coded.

    greez pozor

    PS: for more information search the forum it has plenty threads with this topic

  11. #11
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    62
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I see where you are getting confused.

    My Session Handler class is meant to replace the PHP sessions. When you use the SessionHandler class you don't use PHP sessions. The class is used instead.

    So PHP is not generating a session id at all. The class is doing all that work instead of the sessions.

    Does that make sense?

  12. #12
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah ok

    yeah it makes sense now

    thanks a lot for your replies. Expect a few more questions in the near future though

  13. #13
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    62
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My pleasure. Glad I could help.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •