Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <? /*
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- |S|E|S|S|I|O|N| |S|E|C|U|R|I|T|Y|
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- License: https://s.arciszewski.me/public/WTFPL.txt
- This script should make it very difficult for an attacker to predict,
- control, or intercept your visitors' session IDs and log in as them.
- First, it forces the configuration to only transmit cookies over HTTPS,
- mark cookies as httponly (so their web browser will not leak their
- contents to Javascript to be stolen in XSS attacks), and use plenty of
- entropy in the session ID. It also specifies a 512-bit hash function and
- 6 bits per character to reduce the length of the cookie without sacrificing
- precious entropy.
- Next, it checks to see if $_SESSION['birth'] is defined. If it isn't,
- wipe every value in $_SESSION then regenerate the ID and send the new
- session ID back to the user.
- From that point forward, every 30 minutes, your users' session IDs will
- be recycled and the old ones erased.
- REQUIREMENTS:
- - HTTPS (get a free certificate for your domain name from startssl.com)
- ISSUES:
- - On first pageload, they will always generate two IDs. The first is
- discarded because $_SESSION['birth'] is not defined. This should not
- be a major performance issue.
- */
- ini_set("session.cookie_httponly", "On"); // No Javascript interception
- ini_set("session.cookie_secure", "On"); // HTTPS Only!
- ini_set("session.entropy_length", "64"); // 512 bits
- ini_set("session.hash_function", "sha512"); // 512-bit hash function
- ini_set("session.hash_bits_per_character", "6"); // 6 bits/character
- ini_set("session.entropy_file", "/dev/urandom");
- # Note: You should probably edit your php.ini if possible to enforce these values
- # rather than reset them at runtime. It will reduce overhead.
- session_start();
- if(empty($_SESSION['birth'])) {
- if(!empty($_SESSION)) {
- foreach($_SESSION as $i => $v) {
- unset($_SESSION[$i]); // Goodbye
- }
- }
- $_SESSION['birth'] = time();
- session_regenerate_id(true); // New ID
- } else {
- if(time() - $_SESSION['birth'] > 1800) {
- // 30 minutes later, new ID
- session_regenerate_id(true);
- }
- }
- ######################################################################
- # Notice: For your logout script, make sure you do the following: #
- ######################################################################
- /*
- foreach($_SESSION as $i => $v) {
- unset($_SESSION[$i]); // Just in case
- }
- session_destroy();
- header("Location: /");
- exit;
- */
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement