Geek asks and answers

How to properly end a user session?

I worked on protecting my site (PHP) and there was a lot of information to swallow. I tried to implement the security that I was researching on OWASP , but one thing that I'm a little nervous about, among other things, how to handle SESSIONS when a user logs out.

Currently, all I use is:

session_destroy();

But, I read that I have to change the XRSF token and run another SESSION to force the user to re-enter the credentials in turn, clearly ending the SESSION users.

Enough session_destroy()?

EDIT

I downloaded michael-the-messenger , which I think was created by Michael Rook, which should be VERY safe, and I saw some code that I can use. Is this something I can safely replace session_destroy()that I'm using?

CODE

if($_SESSION['user']->isAuth())
{
    /* if they have clicked log out */
    /* this will kill the session */
    if($_POST['LogMeOut'] == 'true')
    {
        //When the user logs out the xsrf token changes.
        $tmp_xsrf = $_SESSION['user']->getXsrfToken();
        $_SESSION['user']->logout();
        $loginMessage = str_replace($tmp_xsrf, $_SESSION['user']->getXsrfToken(), $loginMessage);
        print layout('Authorization Required', $loginMessage);
    }
    else
    {
        header("Location: inbox.php");
        //user is allowed access. 
    }
}
else
{
    // code goes on ....

LOGOUT

public function logout()
{
    $_SESSION['user'] = new auth();
}

Obviously $_SESSION['user'] = new auth();restores an object that sets the private variable $authto false.

+5
source share
2 answers

but one thing that I'm a little nervous about, among other things, is how to handle SESSIONS when the user logs out.

According to the manual :

, , . cookie session id ( ), cookie . setcookie().

, , .

session_destroy() setcookie(session_name(), null, time() - 86400) .

,

:

. $_SESSION , serialize/unserialize , .

1) $_SESSION, . $_SESSION - , .

2) , , . .

? ,

  • ,
  • ( ), $_SESSION['foo'], $session->read['foo']
  • (, ), .
  • . ( ).

, :

$session = new SessionStorage();

$session->write( array('foo' => 'bar') );

if ( $session->isValid() === TRUE ) {

    echo $session->read('foo'); // bar

} else {

    // Session hijack. Handle here
}

// To totally destroy a session:
$session->destroy();


// if some part of your application requires a session, then just inject an instance of `SessionStorage`
// like this:
$user = new Profile($session);


// Take this implementation as example:

final class SessionStorage
{
    public function __construct()
    {
        // Don't start again if session is started:
        if ( session_id() != '' ) {
            session_start();
        }

        // Keep initial values
        $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
        $_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
    }

    /**
     * You can prevent majority of hijacks using this method
     * 
     * @return boolean TRUE if session is valid
     */
    public function isValid()
    {
        return $_SESSION['HTTP_USER_AGENT'] === $_SERVER['HTTP_USER_AGENT'] && $_SESSION['REMOTE_ADDR'] === $_SERVER['REMOTE_ADDR'] ;
    }


    public function __destruct()
    {
        session_write_close();
    }

    /**
     * Fixed session_destroy()
     * 
     * @return boolean
     */
    public function destroy()
    {
        // Erase the session name on client side
        setcookie(session_name(), null, time() - 86400);

        // Erase on the server
        return session_destroy();
    }


    public function write(array $data)
    {
        foreach($data as $key => $value) {
            $_SESSION[$key] = $value;
        }
    }


    public function exists()
    {
        foreach(func_get_args() as $arg){

            if ( ! array_key_exists($arg, $_SESSION) ){
                return false;
            }
        }

        return true;
    }

    public function read($key)
    {
        if ( $this->exists($key) ){

            return $_SESSION[$key];

        } else {

            throw new RuntimeException('Cannot access non-existing var ' .$key);
        }
    }

}
+2

, session_unset() - , .

-2

More articles:


All Articles