|
|
|
|
Like this code?
Show the author your appreciation.
|
|
| |
Prior to making this post i posted a code example about storing sessions in a database. I showed you how to do some session hijacking checks based on the users ip (in the function CheckSession) I believe i also mentioned that checking by a users IP is not the best way you could do this since AOL users tunnel through a proxy thier IP is bound to change. Here i am going to show another method that was brought to my attention by Chris Shiflett.
A good way to check that a person is who they are is by monitoring thier behavior. If something is consistant for X page loads then it all of the sudden changes, this is abnormal behavior. Basically on the first page load this will store the users UserAgent into a session variable and then when the page is loaded again it compares the 2, if they match it will increment a counter by 1. If the user UserAgent changes, it will check to see if the counter has hit UA_THRESHOLD, if so then the users UserAgent has not changed over the last X page loads and it is not normal for thier UserAgent to change. At this point it will display the password dialog. We dont want to be harsh when dealing with the session because it could well be the same user, so we will prompt for thier password. If they enter an incorrect password more than PW_MAX_CHECKS times it will destroy the session and redirect to the index page. If they enter the correct password though, it will reset the counter and allow the user to continue on.
You can use this method with any type of tracking. The basic method is tracking the users activity and when something doesnt seem right, handle the situation lightly. For the users who's UserAgent changes frequently, there is not much you could do, maybe fall back to a different check based on this method using the users IP.
If you learn from this code please leave some comments, many thanks to the NYPHP User Group for participating in this discussion and helping me to see different ways to accomplish this task. Many thanks to Chris Shiflett for pointing out this method.
| <?
define( 'UA_THRESHOLD', 50 );
define( 'PW_MAX_CHECKS', 3 );
function CheckSession($db) {
// check the users user agent activity.
if(isset($_POST['submit'])) {
if($_SESSION['PW_CHECKS'] < PW_MAX_CHECKS) {
if(isset($_POST['passwd'])) {
if(!isset($_SESSION['PW_CHECKS'])) $_SESSION['PW_CHECKS'] = 1;
if($_SESSION['PW_CHECKS'] <= PW_MAX_CHECKS) {
$_SESSION['PW_CHECKS']++;
$table = strtolower($_SESSION['type'].'s');
$sql = "SELECT pass FROM ".$table." WHERE username='".$_SESSION['uname']."' AND pass='".md5($_POST['passwd'])."'";
$res = $db->Query($sql);
if($db->NumRows($res) == 0) {
$pwError = 'Invalid Password!';
// display password form
sessionReValidate($pwError);
} else {
// reset our session variables.
unset($_SESSION['UA_CHECKS']);
unset($_SESSION['HTTP_USER_AGENT']);
unset($_SESSION['PW_CHECKS']);
}
}
}
} else {
session_destroy();
header("Location: index.php");
}
}
// check to see if UA_CHECKS is instanciated, if not set it to 0
if(!isset($_SESSION['UA_CHECKS'])) $_SESSION['UA_CHECKS'] = 0;
// check to see if the users IP address has been set, if not set it.
if(!isset($_SESSION['HTTP_USER_AGENT'])) $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
// check to see if the UA has changed
if($_SESSION['HTTP_USER_AGENT'] == $_SERVER['HTTP_USER_AGENT']) {
++$_SESSION['UA_CHECKS'];
} else {
// Check to see if the UA_CHECKS has been completed UA_THRESHOLD times
if($_SESSION['UA_CHECKS'] >= UA_THRESHOLD) {
// It's not normal for the users UA to change frequently
sessionReValidate($pwError);
} else {
unset($_SESSION['UA_CHECKS']);
unset($_SESSION['HTTP_USER_AGENT']);
}
}
}
function sessionReValidate($pwError = '') {
if(isset($pwError) && $pwError != '') echo $pwError.'<br /><br />';
print "
<form action='".$_SERVER['PHP_SELF']."' method='POST'>
<input type='password' name='passwd'><br>
<input type='submit' name='submit' value='Verify'>
";
exit();
}
?> | |
|
|
| A damaged image generator (class) for validating text.
CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart
Categories : PHP, PHP Classes, Security, GD image library, Security | | | A simple PHP login script that you can modify to suite your needs. It use a session to store data in a session file submited by the page.
Categories : PHP, Sessions, Security, Authentication | | | Form Security - Match A Value For Success
Categories : PHP, Authentication, HTML and PHP, Sessions, Security | | | CAPTCHA[Image verification]
Categories : PHP, Security, GD image library, Graphics, Sessions | | | Authenticator for Exchange Server LDAP
Categories : PHP, Authentication, LDAP, Security, Sessions | | | session out Timer
Categories : PHP, Sessions, Security, Beginner Guides | | | A login page that require username, password and userlevel.
Categories : PHP, Security, Sessions, MySQL, Databases | | | Securing Web Forms with Simple PHP-CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
Categories : PHP, Security, GD image library, Sessions | | | Basic Authentication with sessions
Categories : PHP, Beginner Guides, Authentication, Form Processing, Sessions | | | XDT Topsite (Gold v1.0)
Categories : Databases, CSS, PHP, HTML and PHP, Sessions | | | MD5 secured login
Categories : PHP, Java Script, Authentication, Security | | | Password Creator: This PHP code exmaple shows how to use bitwise operations on a single variable and using it as a flagged variable. The class generates passwords of a given length using specified characters and the flags.
Categories : PHP, PHP Classes, Algorithms, Security | | | Simple Password example
Categories : PHP, Authentication, Security, HTTP | | | Problem passing session variables
Categories : Sessions, PHP | | | A PHP function to encrypt and decrypt a number or string or a combination of the two.
Categories : PHP, Encryption, Security | |
|
|
|
