Home/ Questions/Q 6822237
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T21:38:20+00:00

class userSessionManager { public $_uname; private $_pword; private $_userDB_Accessor; function __construct($userAccessor) { $this->_userDB_Accessor =

  • 0
            class userSessionManager
{
    public $_uname;
    private $_pword;
    private $_userDB_Accessor;

    function __construct($userAccessor)
    {
        $this->_userDB_Accessor = $userAccessor;            
    }
    function tryLogin()
    {
        //  get user information
        if ($_SERVER['REQUEST_METHOD'] == 'POST')
        {
            // get username and pasword from POST data and make it safe for database
            $this->_uname = quote_smart(htmlspecialchars($_POST['userName']));
            $this->_pword = quote_smart(htmlspecialchars($_POST['password']));
        }
        else // username and password were not set
        {
            return false;
        }

        $loginPassed = $this->_userDB_Accessor->login($this->_uname, $this->_pword);

        if($loginPassed == true)
        {
            $this->makeSession();
        }

        return $loginPassed;
    }
    private function makeSession()
    {
        session_start();
        $_SESSION['userName'] = $this->_uname;
    }
    function userHasSession()
    {
        session_start();
        if(! isset($_SESSION['userName']))  // session not properly created
        {
            return false;
        }

        $this->_uname = $_SESSION['userName'];  //save username to object

        //destroy and recreate session for security reasons
        session_destroy();
        $this->makeSession();
        return true;
    }
}

So, I read this article on how someone could gain access to an account with the session ID number. One solution listed was to reset the session ID number each time the page is loaded. Would this be a secure implementation of that idea?

Thank you all for the suggestions here is what I did to use them:

        private function makeSession()
    {
        session_start();
        session_regenerate_id();    // reset session id for securty
        $_SESSION['userName'] = $this->_uname;
        $_SESSION['userIP'] = $_SERVER['REMOTE_ADDR'];
        $_SESSION['userBrowser'] = $_SERVER['HTTP_USER_AGENT'];
    }
    function userHasSession()
    {
        session_start();

        if(!isset($_SESSION['userName']) || // check for a created user
            $_SESSION['userIP'] != $_SERVER['REMOTE_ADDR'] || // check for the same IP address
            $_SESSION['userBrowser'] != $_SERVER['HTTP_USER_AGENT'] //check for same Browser and OS
            ) 
        {
            session_regenerate_id();
            session_unset();
            session_destroy();
            return false;
        }
        return true;    // legit user
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If the session identifier is regenerated every time there is a change in the level of privilege,
    the risk of session fixation is practically eliminated:

    session_regenerate_id()

    <?php
$_SESSION['logged_in'] = FALSE;
if (check_login())
{
session_regenerate_id();
$_SESSION['logged_in'] = TRUE;
}
?>

    I do not recommend regenerating the session identifier on every page.
    While this seems like a secure approach—and it is—it provides no more
    protection than regenerating the session identifier whenever there is
    a change in the level of privilege. More importantly, it can adversely
    affect your legitimate users, especially if the session identifier is
    being propagated in the URL. A user might use the browser’s history
    mechanism to return to a previous page, and the links on that page
    will reference a session identifier that no longer exists. If you
    regenerate the session identifier only when there is a change in the
    level of privilege, the same situation is possible, but a user who
    returns to a page prior to the change in the level of privilege is
    less likely to be surprised by a loss of session, and this situation
    is also less common.

    Have a look at http://phpsecurity.org/ch04.pdf for more information.

    • 0