Untitled

<?php

/*
  SecureSession class
  Written by Vagharshak Tozalakyan <vagh@armdex.com>
  Released under GNU Public License
*/

class SecureSession
{
    // Include browser name in fingerprint?
    var $check_browser = true;

    // How many numbers from IP use in fingerprint?
    var $check_ip_blocks = 0;

    // Control word - any word you want.
    var $secure_word = 'SECURESTAFF';

    // Regenerate session ID to prevent fixation attacks?
    var $regenerate_id = true;

    // Call this when init session.
    function Open()
    {
        $_SESSION['ss_fprint'] = $this->_Fingerprint();
        $this->_RegenerateId();
    }

    // Call this to check session.
    function Check()
    {
        $this->_RegenerateId();
        return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint());
    }

    // Internal function. Returns MD5 from fingerprint.
    function _Fingerprint()
    {
        $fingerprint = $this->secure_word;
        if ($this->check_browser) {
            $fingerprint .= $_SERVER['HTTP_USER_AGENT'];
        }
        if ($this->check_ip_blocks) {
            $num_blocks = abs(intval($this->check_ip_blocks));
            if ($num_blocks > 4) {
                $num_blocks = 4;
            }
            $blocks = explode('.', $_SERVER['REMOTE_ADDR']);
            for ($i = 0; $i < $num_blocks; $i++) {
                $fingerprint .= $blocks[$i] . '.';
            }
        }
        return md5($fingerprint);
    }

    // Internal function. Regenerates session ID if possible.
    function _RegenerateId()
    {
        if ($this->regenerate_id && function_exists('session_regenerate_id')) {
            if (version_compare(phpversion(), '5.1.0', '>=')) {
                session_regenerate_id(true);
            } else {
                session_regenerate_id();
            }
        }
    }
}

?>

=============================
example index.php
<?php
  session_start();
  require_once '../securesession.class.php';
  $ss = new SecureSession();
  $ss->check_browser = true;
  $ss->check_ip_blocks = 2;
  $ss->secure_word = 'SALT_';
  $ss->regenerate_id = true;
  if (!$ss->Check() || !isset($_SESSION['logged_in']) || !$_SESSION['logged_in'])
  {
    header('Location: login.php');
    die();
  }
?>
<html>
<head>
<title>SecureSession Sample</title>
</head>
<body>
You are successfully logged in!
</body>
</html>

=======================
example login script:
<?php
  session_start();
  require_once '../securesession.class.php';
  $error = '';
  if (isset($_POST['uname']))
  {
    $uname = $_POST['uname'];
    $passwd = $_POST['passwd'];
    if ($uname == 'User' && $passwd == 'password')
    {
      $ss = new SecureSession();
      $ss->check_browser = true;
      $ss->check_ip_blocks = 2;
      $ss->secure_word = 'SALT_';
      $ss->regenerate_id = true;
      $ss->Open();
      $_SESSION['logged_in'] = true;
      header('Location: index.php');
      die();
    }
    else
    {
      $error = 'Incorrect username or password.';
    }
  }
?>

<html>
<head>
<title>SecureSession Sample</title>
</head>
<body>
<?php
  if (!empty($error))
  {
    echo $error;
  }
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Username: <input type="text" name="uname" />
Password: <input type="password" name="passwd" />
<input type="submit" value="Log In" />
</form>
</body>
</html>