SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Mar 2009
    Posts
    268
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Session security and user tracking

    Ive been working on a PHP project that requires a user to be tracked as they select various options on the site. I'm using session ids stored in a mysql database to track the selections. There is no login form and no vital data, payment details etc stored or passed with the session. I would like to know what should I do to ensure that the sessions are secure as possible?

    As soon as the user hits the front page a session is generated for them.

    Code:
    <?php
    session_start();
    
    if (!isset($_SESSION['userid'])) {
    	$_SESSION['userid']=md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
    }
    ?>
    I use this session to track the user. Once the user selects an option the user is assigned an id and a row in the database table 'users'. The session is then used as a lookup for that user to another table 'options'. Once the user has finished selecting their options they finalise by clicking submit and the session is unset and destroyed. An email is sent with that customers options to the admin. I used sessions instead of simply a userID because I needed to make the variable site wide. I didn't want to use global variables in my functions.

    Any form data is sanitised by mysql_real_string, htmlentities as well as int() for expected integer values.

    Any suggestion as to what else I need to do to keep it secure as possible?

  2. #2
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    925
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by freakystreak View Post
    Code:
    <?php
    session_start();
    
    if (!isset($_SESSION['userid'])) {
    	$_SESSION['userid']=md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
    }
    ?>
    Why do you generate userid in this way? I think you could as well use session_id() as userid. session_id is generated by php automatically when a session is initialised so no need to generate another id - unless you have some specific need for the userid to be different.

    Quote Originally Posted by freakystreak View Post
    I use this session to track the user. Once the user selects an option the user is assigned an id and a row in the database table 'users'. The session is then used as a lookup for that user to another table 'options'. Once the user has finished selecting their options they finalise by clicking submit and the session is unset and destroyed. An email is sent with that customers options to the admin. I used sessions instead of simply a userID because I needed to make the variable site wide. I didn't want to use global variables in my functions.

    Any form data is sanitised by mysql_real_string, htmlentities as well as int() for expected integer values.

    Any suggestion as to what else I need to do to keep it secure as possible?
    Sounds fine to me. But you don't need to use htmlentities for sanitising, mysql_real_escape_string is enough. But then use htmlentities/htmlspecialchars whenever you output string data to the browser as part of html.

  3. #3
    SitePoint Addict
    Join Date
    Mar 2009
    Posts
    268
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers, security is always my biggest headache. Wish evil people didn't hack but I suppose you can't have everything.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •