Hi guys.
I have two sessions in PHP:
$_SESSION["session"]["key"] = md5 ($token . $userAgent . $ip);
$_SESSION["session"]["timeout"] = time ();
Just want to check that sessions with nginx, tried this code without success:
location / {
if ($request_filename ~* "index.php") {
break;
}
if ($http_cookie ~* "session") {
break;
}
rewrite ^.+$ https://localhost/index.php last;
}
Any clues ?
Thanks.
a cookie just holds the Session ID, an id is always created upon session_start(); so if your calling that withing your script the user wil always have a session id.
your best bet is too add a second cookie
setcookie('session_key',md5 ($token . $userAgent . $ip));
then within nginx
if ($http_cookie ~* "session_key")
{
break;
}
to check if that cookie is set.
If the hash is sensitive then do this.
setcookie('session_key_active','1');
Then is Nginx
if ($http_cookie ~* "session_key_active")
{
break;
}
But this is still vulnerable , always check server side values match!