我有一个管理会话的课程" sessionManager" (开始新会话,恢复会话,验证会话......)
用户登录的第一步是创建3个会话变量,以确保我对会话劫持进行身份验证
$_SESSION['MA_IP_ADDRESS'] = $this->user_ip;
$_SESSION['MA_USER_AGENT'] = $this->user_agent;
$_SESSION['MA_IDLE_TIMEOUT'] = $this->current_time + $this->max_session_idle_time;
然后在登录后的每个页面上,我检查以确保会话中存储的IP与当前用户IP地址相同。另外,我检查user_agent以确保它与当前user_agent信息相同或者user_agent等于" Shockwave Flash"在上传文件时解决闪光问题。
这就是我所做的验证信息
if( $_SESSION['MA_IP_ADDRESS'] != $this->user_ip )
---------
if( $_SESSION['MA_USER_AGENT'] != $this->user_agent && $this->user_agent != 'Shockwave Flash' )
------
我遇到的问题是,当我使用uplodify将文件上传到我的服务器时,发现3个会话变量(MA_IP_ADDRESS, MA_USER_AGENT, MA_IDLE_TIMEOUT)未设置,因此我总是得到用户未经过身份验证。
我不知道为什么在我使用uplodify时没有设置这些变量,但是它们是通过网站设置的。
如何让uplodify传递所有会话变量(MA_IP_ADDRESS, MA_USER_AGENT, MA_IDLE_TIMEOUT)?
我刚购买了非Flash版本Uplodifive,我仍然遇到同样的问题。
以下是我的sessionManager课程供参考
<?php
class sessionManager {
private $db;
private $user_id;
private $user_ip;
private $user_agent;
private $autherizedUser = false;
private $cookie_name;
private $current_session_id;
private $max_session_idle_time = SESSION_KEEP_ALIVE;
private $current_time;
public function __construct($name, $limit = 0, $path = '/', $domain = null, $secure = null){
// Set the cookie name
session_name($name);
//assign the cookie name that will be used for the session
$this->cookie_name = $name;
//get the current time
$this->current_time = time();
if(isset($_SERVER['REMOTE_ADDR']))
$this->user_ip = $_SERVER['REMOTE_ADDR'];
if(isset($_SERVER['HTTP_USER_AGENT']))
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];
// Set SSL level
$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
//set the session storage to point custom method
session_set_save_handler(
array($this, "open"),
array($this, "close"),
array($this, "read"),
array($this, "write"),
array($this, "delete"),
array($this, "garbageCollector")
);
//Set session cookie options
session_set_cookie_params($limit, $path, $domain, $https, true);
//if there is no IP detected - make it invalid
if( empty($this->user_ip) || empty($this->user_agent) ){
echo 'Invalid Request!!!';
exit();
}
}
/*
* This function resume existing session
*/
public function resumeSession($keepAlive = true){
// Make sure the session hasn't expired, and destroy it if it has
if( $this->isValidSession() ){
//grab the current session_id
$this->current_session_id = session_id();
if($this->isHijacking()){
error_log('Hijacking attempt!!!!!!!!!!!!!!');
$this->destroy();
} else {
//reset the idle time out
if($keepAlive === true)
$_SESSION['MA_IDLE_TIMEOUT'] = $this->current_time + $this->max_session_idle_time;
$this->autherizedUser = true;
}
} else
error_log('Something went wrong!!!!!!!!');
}
public function isAutherized(){
return $this->autherizedUser;
}
public function currentSessionID(){
return $this->current_session_id;
}
/*
* This function set a session key
*/
public function setSession($name, $val = NULL){
if(session_status() !== PHP_SESSION_ACTIVE )
session_start();
$_SESSION[$name] = $val;
}
/*
* This function get a session's key value
*/
public function getSession($name){
if( isset($_SESSION[$name]) )
return $_SESSION[$name];
else
return null;
}
//public function getRemainingTime(){
// return $this->timeLeftBeforeIdle;
//}
public function getRemainingTime(){
$session_time = $this->current_time;
//resume session without updating the idle time
$this->resumeSession(false);
if(isset($_SESSION['MA_IDLE_TIMEOUT']))
$session_time = $_SESSION['MA_IDLE_TIMEOUT'];
return ($session_time - $this->current_time) < 1 ? 0 : ($session_time - $this->current_time);
}
/*
* This function starts a new session - on the login
* @userid is the logged in user id
*/
public function startNewSession($userid){
//Set the user id
$this->user_id = $userid;
$new_session_id = $this->generateSessionID();
session_id($new_session_id);
//grab the current session_id
$this->current_session_id = $new_session_id;
session_start();
$this->setSessionValues();
if(!empty($this->user_id))
$this->autherizedUser = true;
}
/*
* This function destroy existing session
*/
public function destroy(){
if(session_id() == '' )
session_start();
$this->autherizedUser = false;
session_unset();
session_destroy();
unset($_COOKIE[$this->cookie_name]);
}
/**
* This function set a new values to the session
*/
private function setSessionValues(){
$_SESSION = array();
//set the IP address info
$_SESSION['MA_IP_ADDRESS'] = $this->user_ip;
//$this->setSession('MA_IP_ADDRESS', $this->user_ip);
// save the agent information
$_SESSION['MA_USER_AGENT'] = $this->user_agent;
//$this->setSession('MA_USER_AGENT', $this->user_agent);
//set the idle timeout
$_SESSION['MA_IDLE_TIMEOUT'] = $this->current_time + $this->max_session_idle_time;
}
/*
* This function check if the current session is valid or not
*/
private function isValidSession(){
session_start();
error_log('IP ADDRESS ' . $_SESSION['MA_IP_ADDRESS']);
error_log('AGENT ' . $_SESSION['MA_USER_AGENT']);
error_log('TIME OUT ' . $_SESSION['MA_IDLE_TIMEOUT']);
if( !isset($_SESSION['MA_IP_ADDRESS']) || !isset($_SESSION['MA_USER_AGENT']) || !isset($_SESSION['MA_IDLE_TIMEOUT']) )
return false;
if( empty($_SESSION['MA_IP_ADDRESS']) || empty($_SESSION['MA_USER_AGENT']) || empty($_SESSION['MA_IDLE_TIMEOUT']) )
return false;
//if the session expired - make it invalid
if( $_SESSION['MA_IDLE_TIMEOUT'] < $this->current_time )
return false;
//the session is valid
return true;
}
/*
* This function check if this is a session Hijacking attempt or nor
*/
private function isHijacking(){
//if the set IP address no not match the current user's IP address value - make it invalid
if( $this->getSession('MA_IP_ADDRESS') != $this->user_ip )
return true;
//if the set user agent value do not match the current user agent value - make it invalid
if( $this->getSession('MA_USER_AGENT') != $this->user_agent && $this->user_agent != 'Shockwave Flash' )
return true;
//the session is valid
return false;
}
/*
* This function generate new random string
*/
private function generateSessionID($len = 40) {
//user -13 because uniqid need 13 characters
$max_to_pick = $len-13;
$characters = str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-');
$newStr = '';
$maxLen = strlen($characters) - 1;
for ($i = 0; $i < $max_to_pick; ++$i)
$newStr .= $characters[mt_rand(0, $maxLen)];
return uniqid($newStr);
}
//open the database connection for the session storage engine
public function open(){
$this->db = new connection();
if($this->db)
return true;
// Return False
return false;
}
//close the database connection for the session storage engine
public function close(){
if($this->db->endConnection())
return true;
// Return False
return false;
}
//read current session variables from the session database
public function read($id){
// Set query
$data = $this->db->getDataSet('SELECT data FROM sessions WHERE session_id = ?', array($id));
if(count($data) == 1)
return $data[0]['data'];
return '';
}
//replace the existing data using the current session id
public function write($id, $data){
// Set query
$replace = $this->db->processQuery('INSERT INTO sessions(session_id, access, data, user_id) VALUES (?, ?, ?, ?)
ON DUPLICATE KEY UPDATE
session_id = ?,
access = ?,
data = ?', array($id, $this->current_time, $data, $this->user_id, $id, $this->current_time, $data));
if($replace)
return true;
// Return False
return false;
}
//delete a session record from the storage engine
public function delete($id){
// Set query
$delete = $this->db->processQuery('DELETE FROM sessions WHERE session_id = ? OR user_id IS NULL', array($id));
if($delete)
return true;
// Return False
return false;
}
//deletes all expired session - if the access time is less that current time
public function garbageCollector($max){
// Calculate what is to be deemed old
$old = $this->current_time - $max;
// Set query
$delete = $this->db->processQuery('DELETE FROM sessions WHERE access < ? OR user_id IS NULL', array($old));
if($delete)
return true;
// Return False
return false;
}
}
?>