Web Hosting Talk






PDA

View Full Version : Binding sessions to client attributes

Saeven
09-23-2003, 05:39 PM
Hello Everyone,

I'd appreciate if we could get a little brainstorm going - experience as a better rule.

What method of binding sessions to clients do you use? There's the good old bind by IP, but on switching ISPs, the IP address is not always constant. I'm looking for a more universal approach that doesn't compromise security.

Anyone binding by PID? Any problems with this behavior?

Any other toss ups?

Looking forward to a good discussion.
Cheers.
A.
null
09-24-2003, 12:16 AM
Check ip, user-agent (browser), and time of last activity. If user was not active for 15 min, send him to login page.

Here is a simple PHP code:


<?php

function check_auth()
{
global $config;

$session = session_is_registered("username");
$ip = $_SESSION["ip_addr"] == $_SERVER["REMOTE_ADDR"];
$browser = $_SESSION["browser"] == $_SERVER["HTTP_USER_AGENT"];
$time = date("i", time() - $_SESSION["time"]) < $config["SESSION_EXPIRE_TIME"];
if(!session || !$ip || !$browser || !$time)
{
set_return();
send_to("?do=login");
return;
}
else
{
$_SESSION["time"] = time();
}
}

?>


You can also check screen resolution.

Good luck!
Saeven
09-24-2003, 06:26 PM
REMOTE_ADDR is not usable since browsers (AOL, MSN) etc change it on the fly. The rest are very weak sources of entropy and insecure.
null
09-24-2003, 06:35 PM
You can use following code to get ip address

Simple example


if($ip_address=getenv("http_client_ip"));
elseif($ip_address=getenv("http_x_forwarded_for"));
else{
$ip_address=getenv("remote_addr");
}
if($ip_address=="unknown"){
$ip_address=getenv("remote_addr");
}


Advanvnced example (taken from phpMyAdmin project)


function PMA_getIp()
{
global $REMOTE_ADDR;
global $HTTP_X_FORWARDED_FOR, $HTTP_X_FORWARDED, $HTTP_FORWARDED_FOR, $HTTP_FORWARDED;
global $HTTP_VIA, $HTTP_X_COMING_FROM, $HTTP_COMING_FROM;
global $HTTP_SERVER_VARS, $HTTP_ENV_VARS;

// Get some server/environment variables values
if (empty($REMOTE_ADDR)) {
if (!empty($_SERVER) && isset($_SERVER['REMOTE_ADDR'])) {
$REMOTE_ADDR = $_SERVER['REMOTE_ADDR'];
}
else if (!empty($_ENV) && isset($_ENV['REMOTE_ADDR'])) {
$REMOTE_ADDR = $_ENV['REMOTE_ADDR'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['REMOTE_ADDR'])) {
$REMOTE_ADDR = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_ADDR'])) {
$REMOTE_ADDR = $HTTP_ENV_VARS['REMOTE_ADDR'];
}
else if (@getenv('REMOTE_ADDR')) {
$REMOTE_ADDR = getenv('REMOTE_ADDR');
}
} // end if
if (empty($HTTP_X_FORWARDED_FOR)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$HTTP_X_FORWARDED_FOR = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_X_FORWARDED_FOR'])) {
$HTTP_X_FORWARDED_FOR = $_ENV['HTTP_X_FORWARDED_FOR'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
$HTTP_X_FORWARDED_FOR = $HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_X_FORWARDED_FOR'])) {
$HTTP_X_FORWARDED_FOR = $HTTP_ENV_VARS['HTTP_X_FORWARDED_FOR'];
}
else if (@getenv('HTTP_X_FORWARDED_FOR')) {
$HTTP_X_FORWARDED_FOR = getenv('HTTP_X_FORWARDED_FOR');
}
} // end if
if (empty($HTTP_X_FORWARDED)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_X_FORWARDED'])) {
$HTTP_X_FORWARDED = $_SERVER['HTTP_X_FORWARDED'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_X_FORWARDED'])) {
$HTTP_X_FORWARDED = $_ENV['HTTP_X_FORWARDED'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED'])) {
$HTTP_X_FORWARDED = $HTTP_SERVER_VARS['HTTP_X_FORWARDED'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_X_FORWARDED'])) {
$HTTP_X_FORWARDED = $HTTP_ENV_VARS['HTTP_X_FORWARDED'];
}
else if (@getenv('HTTP_X_FORWARDED')) {
$HTTP_X_FORWARDED = getenv('HTTP_X_FORWARDED');
}
} // end if
if (empty($HTTP_FORWARDED_FOR)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_FORWARDED_FOR'])) {
$HTTP_FORWARDED_FOR = $_SERVER['HTTP_FORWARDED_FOR'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_FORWARDED_FOR'])) {
$HTTP_FORWARDED_FOR = $_ENV['HTTP_FORWARDED_FOR'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_FORWARDED_FOR'])) {
$HTTP_FORWARDED_FOR = $HTTP_SERVER_VARS['HTTP_FORWARDED_FOR'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_FORWARDED_FOR'])) {
$HTTP_FORWARDED_FOR = $HTTP_ENV_VARS['HTTP_FORWARDED_FOR'];
}
else if (@getenv('HTTP_FORWARDED_FOR')) {
$HTTP_FORWARDED_FOR = getenv('HTTP_FORWARDED_FOR');
}
} // end if
if (empty($HTTP_FORWARDED)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_FORWARDED'])) {
$HTTP_FORWARDED = $_SERVER['HTTP_FORWARDED'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_FORWARDED'])) {
$HTTP_FORWARDED = $_ENV['HTTP_FORWARDED'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_FORWARDED'])) {
$HTTP_FORWARDED = $HTTP_SERVER_VARS['HTTP_FORWARDED'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_FORWARDED'])) {
$HTTP_FORWARDED = $HTTP_ENV_VARS['HTTP_FORWARDED'];
}
else if (@getenv('HTTP_FORWARDED')) {
$HTTP_FORWARDED = getenv('HTTP_FORWARDED');
}
} // end if
if (empty($HTTP_VIA)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_VIA'])) {
$HTTP_VIA = $_SERVER['HTTP_VIA'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_VIA'])) {
$HTTP_VIA = $_ENV['HTTP_VIA'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_VIA'])) {
$HTTP_VIA = $HTTP_SERVER_VARS['HTTP_VIA'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_VIA'])) {
$HTTP_VIA = $HTTP_ENV_VARS['HTTP_VIA'];
}
else if (@getenv('HTTP_VIA')) {
$HTTP_VIA = getenv('HTTP_VIA');
}
} // end if
if (empty($HTTP_X_COMING_FROM)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_X_COMING_FROM'])) {
$HTTP_X_COMING_FROM = $_SERVER['HTTP_X_COMING_FROM'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_X_COMING_FROM'])) {
$HTTP_X_COMING_FROM = $_ENV['HTTP_X_COMING_FROM'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_X_COMING_FROM'])) {
$HTTP_X_COMING_FROM = $HTTP_SERVER_VARS['HTTP_X_COMING_FROM'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_X_COMING_FROM'])) {
$HTTP_X_COMING_FROM = $HTTP_ENV_VARS['HTTP_X_COMING_FROM'];
}
else if (@getenv('HTTP_X_COMING_FROM')) {
$HTTP_X_COMING_FROM = getenv('HTTP_X_COMING_FROM');
}
} // end if
if (empty($HTTP_COMING_FROM)) {
if (!empty($_SERVER) && isset($_SERVER['HTTP_COMING_FROM'])) {
$HTTP_COMING_FROM = $_SERVER['HTTP_COMING_FROM'];
}
else if (!empty($_ENV) && isset($_ENV['HTTP_COMING_FROM'])) {
$HTTP_COMING_FROM = $_ENV['HTTP_COMING_FROM'];
}
else if (!empty($HTTP_COMING_FROM) && isset($HTTP_SERVER_VARS['HTTP_COMING_FROM'])) {
$HTTP_COMING_FROM = $HTTP_SERVER_VARS['HTTP_COMING_FROM'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['HTTP_COMING_FROM'])) {
$HTTP_COMING_FROM = $HTTP_ENV_VARS['HTTP_COMING_FROM'];
}
else if (@getenv('HTTP_COMING_FROM')) {
$HTTP_COMING_FROM = getenv('HTTP_COMING_FROM');
}
} // end if

// Gets the default ip sent by the user
if (!empty($REMOTE_ADDR)) {
$direct_ip = $REMOTE_ADDR;
}

// Gets the proxy ip sent by the user
$proxy_ip = '';
if (!empty($HTTP_X_FORWARDED_FOR)) {
$proxy_ip = $HTTP_X_FORWARDED_FOR;
} else if (!empty($HTTP_X_FORWARDED)) {
$proxy_ip = $HTTP_X_FORWARDED;
} else if (!empty($HTTP_FORWARDED_FOR)) {
$proxy_ip = $HTTP_FORWARDED_FOR;
} else if (!empty($HTTP_FORWARDED)) {
$proxy_ip = $HTTP_FORWARDED;
} else if (!empty($HTTP_VIA)) {
$proxy_ip = $HTTP_VIA;
} else if (!empty($HTTP_X_COMING_FROM)) {
$proxy_ip = $HTTP_X_COMING_FROM;
} else if (!empty($HTTP_COMING_FROM)) {
$proxy_ip = $HTTP_COMING_FROM;
} // end if... else if...

// Returns the true IP if it has been found, else FALSE
if (empty($proxy_ip)) {
// True IP without proxy
return $direct_ip;
} else {
$is_ip = ereg('^([0-9]{1,3}\.){3,3}[0-9]{1,3}', $proxy_ip, $regs);
if ($is_ip && (count($regs) > 0)) {
// True IP behind a proxy
return $regs[0];
} else {
// Can't define IP: there is a proxy but we don't have
// information about the true IP
return FALSE;
}
} // end if... else...
} // end of the 'PMA_getIp()' function


;)
Saeven
09-24-2003, 06:41 PM
The problem with forwarded for etc is that not all ISPs set proper ranges for proxies or operate proxy farms that will change and not necessarily remain within their class. I've seen nice ones that will keep to the first two quads, but I've seen worse. If possible to pull away from remote_addr that would be ideal!
Kattilyn
09-25-2003, 04:59 AM
I assume you want this functionality in order to allow clients to return to your site and remain logged in/using same session info/etc?

Going off IP address truly isn't possible. AOL, for instance, breaks all the suggestions above because it does not report forwarded-for, client-ip, etc, or anything of the sort -- and a single user on your site using AOL could end up coming from a dozen IP's in a single visit.. I hate AOL.. -- but also, what about a user coming in via a NAT gateway? You may have a dozen clients all coming in from one IP.

What you need to do is set up a session save handler (see session_set_save_handler on PHP.net) and your own functions for handling sessions, saving the information into a database -- set the session ID on the user's cookie, and poof, every time they access your site, they'll use the same session information - unique to that visitor.

If you need help, ICQ or AIM me, and I'll see if I can be more specific. We use such a solution on a site I administrate, so I have first-hand experience, and it does work quite well.