带有 user_id 和 user_agent 标识符的 PHP 会话

Question

What's up guys,

I'm creating a log in system now and I want to secure for session hijacking (I read it up on the PHP Security Consortium website). I have one problem though, I use the session variable to store the user_id, so that I can load the right content from the database when it's needed. However, instead of a session that looks like for example '58', and 58 is the user_id, it now looks like:

585C2reaY2wXT9bR92hgtQnXlcKcxBtWqa8DArzgElQv69L3JgYoO96Ra8CbXHz518Z9ltKn3fK0tL3C2nMbFXdUr8T0HWUHZGgYOsvx2eNTf3JuMlKi/cTTqpqDLGuXtBEa+cgKhgxXgh9QviFgbc50Js/vbpTZ4BmKArgt4kvQE= 

The first two numbers, the 58, is the user_id. The rest is the user agent of the logged in user which is encrypted.

My question is, how can I separate the user_id from the encrypted user_agent to use the user_id to do all the right SQL queries and load the right data? So the session identifier at the top, I have to cut it in two pieces, the first piece is the user_id, the second piece the encrypted user_agent.

Answer 1

You would need to slightly modify your session to do something along the lines of the following.

58:5C2reaY2wXT9bR92hgtQnXlcKcxBtWqa8DArzgElQv69L3JgYoO96Ra8CbXHz518Z9ltKn3fK0tL3C2nMbFXdUr8T0HWUHZGgYOsvx2eNTf3JuMlKi

Note the : I added after the user id.

Then you would do something like the following to grab the user id portion of that string

$str = substr($string, 0, strpos($string, ":"));

Answer 2

Use any character out of the possible ones in user_id. It looks to me that any non-numeric character might fit. Then split up to it. Here is an example with "=" as a separator:

$user_agent = base64_decode(substr($string, 0, strpos($string, "=")));

Note that base64 is not encryption, it is a simple encoding.

Answer 3

I suggest doing the following

Upon settings the session variable, you need to do this..

$user_id = 1299429; // example
// Generate the session variable with the user agent and set it
// In another session variable, save the length of the user_id so
$_SESSION['user_id_length'] = strlen($user_id);

Then upon seperating it, you can do the following

$user_id = substr($encrypted, 0, $_SESSION['user_id_length']);

Answer 4

You can try this code. It will take the first two characters

$str = substr($string, 0, 2);

where $string is your long encrypted string. This will return the string starting at the first character, and taking two characters. Or if you know the length of your encryption, for example 64 characters.

$enc_length = 64;
$userid_length = strlen($_SESSION['variables']) - $enc_length;
$userid  = substr($string, 0, $userid_length);