会话/cookie 用户定期退出

Question

My users have been getting logged out from my site. This happens when when someone logs in from another device. I looked into it and noticed someone from a remote IP has been able to log into my website as different users.

I do not know if I am intentionally being targeted, or if it is somehow an error in my code. I would like to know how to properly set up session cookies in a secure manner to prevent this from occurring.

1. My cookies are HTTP only

2. I also don't believe it is a man-in-the-middle attack, since multiple users from different areas are getting logged out . My website is SSL secured.

3. I don't believe it is a brute force attack. Sometimes when I log in, within 30 seconds I am logged out again and the remote IP is logged in.

4. I don't believe he has access to any passwords. Everything is hashed in the database and the only thing stored on the client is the session HTTP ONLY cookie token.

I am very stuck.

Here is my login script that checks the user's credentials and sets the session:

//database connection is $db_connect

//Creates a random String
function generateRandomString() {
    $length = rand(25, 30);
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}

//Grab email, password, IP address
$email_attempt=strtoupper(preg_replace('#[^a-z0-9\.\@\_\-\+]#i', '', $_POST['e']));
$password_attempt=$_POST["p"];
$user_IP = preg_replace('#[^0-9.\:]#', '', getenv('REMOTE_ADDR'));


//Call the database
$sql = "SELECT password, userID FROM user_data WHERE email='$email_attempt' LIMIT 1";
$query = mysqli_query($db_connect, $sql);
if(mysqli_num_rows($query)>0)
{

    //Get the ID and hashed password from database
    while($row = $query->fetch_assoc()) {
        $password_db=$row["password"];
        $userID_db=$row["userID"];
    }


    //Verify Login using password verify
    if(password_verify($password_attempt, $password_db)==true){

        //remove any previous sessions for the user
        $sql = "DELETE FROM user_sessions WHERE userID='$userID_db'";
        $query = mysqli_query($db_connect, $sql);


        //Clear any current cookies from client
        if(isset($_COOKIE["user"]) && isset($_COOKIE["token"])) {
            setcookie("user", '', strtotime( '-5 days' ), '/');
            setcookie("token", '', strtotime( '-5 days' ), '/');
        }
        session_destroy();


        // Set Session data to an empty array
        $_SESSION = array();


        //create a new token, set new session and cookies 
        $token=generateRandomString();
        $_SESSION['user'] = $userID_db;
        $_SESSION['token'] = $token;
        setcookie("user", $userID_db, strtotime( '+3 days' ), "/", "", "", TRUE);
        setcookie("token", $token, strtotime( '+3 days' ), "/", "", "", TRUE);


        //Hash the token to store in the database
        $token_hash=password_hash($token, PASSWORD_DEFAULT);

        //Store session into database
        $sql = "INSERT INTO user_sessions 
            (userID, session_token, IP, loginDate) 
            VALUES 
            ('$userID_db','$token_hash','$user_IP', '$current_date')";

        $query = mysqli_query($db_connect, $sql);

        header("Location: dashboard.php");
    }

    else
    {
        echo 'wrong_credentials';
    }
}

Here is my code to evaluate a user and see if they are logged in by examining the session and cookies;

//start session
session_start();

$user_ok = false;
$clientID = "";
$token = "";
$user_IP = preg_replace('#[^0-9.\:]#', '', getenv('REMOTE_ADDR'));

if(isset($_SESSION["user"]) && isset($_SESSION["token"])) {
    //Get session
    $clientID = preg_replace('#[^a-z0-9]#i', '', $_SESSION['user']);
    $token = preg_replace('#[^a-z0-9]#i', '', $_SESSION['token']);


    // Verify the user with session data
    $user_ok = checkUser($db_connect,$clientID,$token,$user_IP);



} else if(isset($_COOKIE["user"]) && isset($_COOKIE["token"])){

    //Set session from cookie
    $_SESSION['user'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['user']);
    $_SESSION['token'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['token']);


    //Get session data
    $clientID =  preg_replace('#[^a-z0-9]#i', '', $_SESSION['user']);;
    $token =  preg_replace('#[^a-z0-9]#i', '', $_SESSION['token']);

    // Verify the user
    $user_ok = checkUser($db_connect,$clientID,$token,$user_IP);
} 




// User Verify function
function checkUser($db_connect,$user,$token,$ip){

    //Grab the session
    $sql = "SELECT session_token FROM user_sessions WHERE userID='$user' AND ip='$ip' LIMIT 1";
    $query = mysqli_query($db_connect, $sql);
    if(mysqli_num_rows($query)>0){

        $row=mysqli_fetch_row($query);

        $token_hashed=$row[0];

        //compare token given and hashed token
        if(password_verify($token,$token_hashed)==true)
        {
            return true;
        }

        else
        {
            return false;
        }
    } 

    else
    {
        return false;
    }
}

So my question: Is this code secure enough?

How can I be more secure?

Also if you have any idea of what is happening in this puzzle please let me know, as I am getting destroyed . Thank you in advance.

Answer 1

After some digging, I realized that the problem lies with trying to anchor a session to a single IP address.

We have CloudFlare running on our site, so getenv('REMOTE_ADDR') is sometimes returning CloudFlare's IP address instead of the client IP address. This was causing the logouts.

But I thought I could answer my own question based on the comments. To make the script more secure and stop periodic logouts, I should:

1. Always use prepared statements to protect against SQL injection
2. Don't tie sessions to IP addresses because they may change (especially if on mobile)

Occam's razor is the problem-solving principle that essentially states that simpler solutions are more likely to be correct than complex ones.