Hello all ,
I am typing a little login script in PHP and I am looking for ideas, when a user passes the username/password I want to save the session in a db with information about the user with info like what is his IP and what browser was he on when he logged in. So I can compare it with the information when he jumps around on the page.
For now I have IP and browser saved is there anything else I could use to authenticate that it is the same person ?
I hope you understand what I meen, thanks in advance.
Well his browser wont change from page to page, but... anyway, the majority of the information you're interested in is stored in the $_SERVER superglobal array.
Ok after reading around abit I decided that I will only save the users IP adress when he loggs in and start his logged in session. But here is the thing, I can't use the entire IP as many have dynamic IP's as many know, so I will only save the first 5 digits in the IP as the first numbers usally dont change even if it is dynamic.
So here comes a question about what takes more power. As this will be in a table with maybe many 1000 logged in users at the same I want it to be fast, so is two senerios.
1: I take the ip lets say 52.522.52.52 runs a preg replace to remove the dots(.).
$ip = preg_replace("/[^0-9]/","",$ip);
I do this so I can save the value as a INT instead of a VARCHAR, as I read this is faster when it comes to DB's.
When I now have my value 525225252 I will only take the 5 first digits. As I said the last one's can change alot and give the user a bad browsing experience, with being logged out in the middle of sessions.
So I do a substr()
substr('525225252', 0, 5);
So I end up with the value of 52522, the value of 52522 will then be save in the db with a timer() userid etc.
The the pre_replace and substr will be done on every page view to check so the ip is still the same as it was when the user was logged in.
2: Just save the IP 52.522 as VARCHAR in the DB and just check for the second dot instead and save it as to the DB and compare each page view.
I really hope you understand what I am talking about here hehe, if you have better ideas please share.
User IP: 22.214.171.124
Strip the dots: 1212322112
What was the user's original IP? 126.96.36.199? 188.8.131.52? Both these IP's would return the same result.
You could pad-then-store, exploding over . then str_pad'ing each value to ensure it's 3 digits long (since all IP4 address segments are limited to the range 0-255), and store that.
Or you could convert each value to it's 8 bit equivilant, slam them all together, and come up with a true int (which would have the benefit of not having to check for leading 0)...
I'm not sure WHY you want to do this, though. Are you trying to persist a login beyond session? Use a cookie.
First of let me point out that I maybe know HOW to program, But I lack the experience in WICH way I should program so I am just learning the ropes
So I am on a shared host, and I read about session hijacking on shared host and Saving the IP seems to be a valid way on how to make sure that the user that created the session is the same person using it.
And to protect against cookies being used by diffrent people, being stolen etc, saving the first digits of the ip would make sure that the person using the session or the cookies is the same person that made them, you understand? if not please say and I will try and explain better.
thanks for any help.
Saving the IP is only worse.
IP range: 1-254 for each block.
You're looking at the Level B IP. (First two segments).
So you've just said that 64,516 different IP's all belong to this one user.
What if Joe Blow's neighbor goes to your site? He's got the same Level-B IP address as Joe. Your site then says... Neighbor = Joe. 'Session' successfully hijacked without even trying.
Stick to session-and-cookie based management. It's far less likely that Joe Blow's neighbor stole his computer and duplicated his cookie.
But I will ofc use the regular session checks as one allways do , thought I explained it sorry If I missed it some how. I dident mean that the IP would be the only check, it would only be a second check for the session.
So what I just said was that I would narrow it down to 64,516 diffrent IP's to even be able to hijack it, instead of the entire world.
Then you should already understand one of the most basic rules of programming - if it isn't broken don't fix it. PHP session handling is fine as is, has about 10 years of hard testing behind it and is going to be far more secure than anything you'll come up with.
That's it. You do not need to store sessions in the database nor should you without a specific reason. If you wish to track visitor information you can, but that's a separate issue from sessions.
I read on the internet that saving the IP with the sessions is making the sessions safer, for example here.
Just something google told me
maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip
Set a short session timeout, so that if left idle for a while the session times out automatically.
and I read somewere else that saving the ip in a table other then lets in a session var is better
Should I assume that the last is wrong then? should I just save the IP in the session ?
You can use ip2long() to convert IPs. And then mask of the last 2 octets before you store it in the DB.
$ip_l = $ip2long( $ip ) & 0xFFFF0000;
Then the IP won't be ambiguous, as StarLion pointed out. long2ip() will convert it back to a string.
Remember, there's a lot of old crap on google, and even more wrong crap. The only reason to save session information into the database is if you are using multiple webservers against a load balancer. Even then, session handling via the database for the most part is only found as a legacy feature in applications that had to run under PHP 4.2
We are on 5.3!
Storing the IP and using it for additional validation does little to further harden your site, but it will create problems with any user using a proxy. With the IPv4 address space pretty much exhausted this is going to become more and more common. Speaking of which, anything you write to deal with IPv4 addresses will fail rather spectacularly when IPv6 becomes the more common protocol in the next decade.
Also keep in mind security runs both ways. There are ISP's that protect their users by deliberately rotate their client's IP address on EVERY request they make in order to thwart tracking software and disrupt certain worms and viruses. For a user with such an ISP your site won't work.
I have to agree on the IP I read up on it and it seems to change to much.
But I cant agree that you say that sessions are safe as they are and I should do nothing to make it more secure.
And cant say your sarcasm helps alot? should I guess you are trolling?
I dont see any sarcasm in that post at all?
I really don't know what you are seeking if you think I'm trolling or are reading sarcasm into that post. I do know with that attitude you've secured a place on my ignore list - I don't have time for crap attitudes from people appealing for help.