Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /*
- SecureSession class
- Written by Vagharshak Tozalakyan <vagh@armdex.com>
- Released under GNU Public License
- */
- class SecureSession
- {
- // Include browser name in fingerprint?
- var $check_browser = true;
- // How many numbers from IP use in fingerprint?
- var $check_ip_blocks = 0;
- // Control word - any word you want.
- var $secure_word = 'SECURESTAFF';
- // Regenerate session ID to prevent fixation attacks?
- var $regenerate_id = true;
- // Call this when init session.
- function Open()
- {
- $_SESSION['ss_fprint'] = $this->_Fingerprint();
- $this->_RegenerateId();
- }
- // Call this to check session.
- function Check()
- {
- $this->_RegenerateId();
- return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint());
- }
- // Internal function. Returns MD5 from fingerprint.
- function _Fingerprint()
- {
- $fingerprint = $this->secure_word;
- if ($this->check_browser) {
- $fingerprint .= $_SERVER['HTTP_USER_AGENT'];
- }
- if ($this->check_ip_blocks) {
- $num_blocks = abs(intval($this->check_ip_blocks));
- if ($num_blocks > 4) {
- $num_blocks = 4;
- }
- $blocks = explode('.', $_SERVER['REMOTE_ADDR']);
- for ($i = 0; $i < $num_blocks; $i++) {
- $fingerprint .= $blocks[$i] . '.';
- }
- }
- return md5($fingerprint);
- }
- // Internal function. Regenerates session ID if possible.
- function _RegenerateId()
- {
- if ($this->regenerate_id && function_exists('session_regenerate_id')) {
- if (version_compare(phpversion(), '5.1.0', '>=')) {
- session_regenerate_id(true);
- } else {
- session_regenerate_id();
- }
- }
- }
- }
- ?>
- =============================
- example index.php
- <?php
- session_start();
- require_once '../securesession.class.php';
- $ss = new SecureSession();
- $ss->check_browser = true;
- $ss->check_ip_blocks = 2;
- $ss->secure_word = 'SALT_';
- $ss->regenerate_id = true;
- if (!$ss->Check() || !isset($_SESSION['logged_in']) || !$_SESSION['logged_in'])
- {
- header('Location: login.php');
- die();
- }
- ?>
- <html>
- <head>
- <title>SecureSession Sample</title>
- </head>
- <body>
- You are successfully logged in!
- </body>
- </html>
- =======================
- example login script:
- <?php
- session_start();
- require_once '../securesession.class.php';
- $error = '';
- if (isset($_POST['uname']))
- {
- $uname = $_POST['uname'];
- $passwd = $_POST['passwd'];
- if ($uname == 'User' && $passwd == 'password')
- {
- $ss = new SecureSession();
- $ss->check_browser = true;
- $ss->check_ip_blocks = 2;
- $ss->secure_word = 'SALT_';
- $ss->regenerate_id = true;
- $ss->Open();
- $_SESSION['logged_in'] = true;
- header('Location: index.php');
- die();
- }
- else
- {
- $error = 'Incorrect username or password.';
- }
- }
- ?>
- <html>
- <head>
- <title>SecureSession Sample</title>
- </head>
- <body>
- <?php
- if (!empty($error))
- {
- echo $error;
- }
- ?>
- <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
- Username: <input type="text" name="uname" />
- Password: <input type="password" name="passwd" />
- <input type="submit" value="Log In" />
- </form>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement