Protect Session Tutorial

Got this trick from the codertips (thanks bro)..

Many webmasters doesn't put attention to session security. There are two different way to make a login, using pure session or with cookies.
We will talk about session first and it is security in this post.

Steps to session security

1- Not filtered GET, POST, REQUEST data
2- Using session_regenerate_id()
3- Acsepting http only cookies
4- Manually expiring sessions
5- Php.ini modifications

Lets Begin

To start a session we start by:

<?php
session_start(); // it starts sessions
?>
A live example is echoing "Hello World"
<?php
session_start();
// string to print
$string = "Hello World";
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>

It will print hello world in the monitor. :)
Try it!

Not filtered GET, POST, REQUEST data

If you are giving to a session a value from forms make sure to filter all bad charachters.

Here is a live example of a vulnerability:
<?php
session_start();
/* attacker using an evil javascript like:
<script>alert(0)</script>
which will popup a "0"
*/
$string = $_GET['string'];
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>
What happened here is that GET data are not filterd against Cross Site Scripting(XSS Attacks), think when the data get posted in mysql database and attacker executes sql injection scripts.
Make sure this kind of data is always filtered.

Using session_regenerate_id()

Whats all about this function ??
Well this function is very inportant!

a- When you refresh the page you get a new session id
b- When you close the browser the session gets destroyed
c- It will prevent session stealing

To implement it just simply do:

<?php
session_start();
session_regenerate_id();
?>

Acsepting http only cookies

This is an php.ini function, php.ini explains it as: Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. for more about it you can read on php.net

To implement it just simply do:

<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
?>

Manually expiring sessions

We can use time() to create a session when we last logged in and destroy it after X time.

<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// record last login
$_SESSION['lastlogin'] = time();
?>

When we nextly access it we do a check for expiration:

<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// check if session is more old than 20 seconds
if($_SESSION['lastlogin'] > time() - 20){
die("Session expired, please relogin.");
}
?>

 

 Php.ini modifications

We gonna make some modifications on php.ini file.
You can use ctrl+f to search for strings.

session.save_path = "c:/wamp/tmp" (where the sessions will be saved)
session.gc_maxlifetime = 1440 (maximum time session will be alive)

it is good to change this 2 options or more (depending on your needs)

Note :

It is not a good recomandation to save sessions on a mysql database, it will slow page speed and if data is not filtered things may go bad.

Read More

How To Make Your First Android App "Hello World"

When we entering a new programming language we always gonna make a Hello World application first. It's look like a tradition I think. Making a Hello World application will help us understand how to display a character on the monitor.
Nice first step, isn't? :)
In android we have three way to make an Hello World Application : Instant even without write a code, by Java coding and by XML. Let's try instant hello world first. 

Step 0: Read

Goto "Android Training" @ http://developer.android.com/training/index.html. Read "Get Started", "Building your first app".
You will get many reference too that will help you to understanding Android programming from this website.

Step 1: Create a New Android Project

1. Launch Eclipse. For "ADT Bundle", run "eclipse.exe" under the "eclipse" sub-directory. Choose a NEW workspace (don't use you previous workspace).
2. Close the "Welcome" screen, if it appears.
3. From "File" menu ⇒ New ⇒ Project... ⇒ "Android Application Project" ⇒ Next.
4. The "New Android Project" dialog appears:
   1. In "Application Name": Enter "Hello Android" - this is the Android application name that shows up on the real device.
   2. In "Project Name": Enter "HelloAndroid" (default) - this is the Eclipse's project name.
   3. In "Package Name": Enter "com.example.helloandroid" (default).
   4. In "Minimum Required SDK": Select "API 8: Android 2.2 (Froyo)" (default) - almost all of the Android devices meet this minimum requirement.
   5. In "Target SDK" and "Compile With": Select the latest Android version.
   6. For "Theme", use the default ⇒ Next.
5. The "Configure Project" dialog appears ⇒ Use the defaults ⇒ Next.
6. The "Configure Launcher Icon" dialog appears, which allows you to set the application's icon to be displayed on the devices ⇒ Use the defaults ⇒ Next.
7. The "Create Activity" dialog appears ⇒ Check "Create Activity" Box (default) ⇒ Select "Blank Activity" (default) ⇒ Next.
8. The "Blank Activity" dialog appears.
   1. In "Activity Name": Enter "MainActivity" (default).
   2. In "Layout Name": Enter "activity_main" (default) ⇒ Finish.
9. By default, a hello-world app is created.

Step 2a: Setup Emulator (or Android Virtual Device (AVD))

Android Virtual Devices (AVDs) are emulators that allow you to test your application without the real device. You can create AVDs for different android platforms (from Android 1.x to Android 4.x) and configurations (e.g., phone/pad, screen size, orientation, SD card and its capacity).

1. From Eclipse's "Window" menu ⇒ Preferences ⇒ Android ⇒ In "SDK Location", check and confirm it contains your Android's SDK installed directory.
2. Start the AVD Manager: From Eclipse's "Window" menu ⇒ Select "AVD Manager". (You could also start the AVD manager by running "AVD Manager.exe" under the "sdk\tools\lib".)
3. The "Android Virtual Device Manager" dialog appears ⇒ "New".
4. The "Create New Android Virtual Device (AVD)" dialog appears.
   1. In "Name", enter "Android44_qvga".
   2. In "Device", select "2.7 QVGA" (try the smallest device first).
   3. In "Target", select "Android 4.4 - API Level 19".
   4. Set "SD Card Size" to 10 MB (do not set a huge SD Card size, which would take hours to create.) ⇒ OK.

Notes: For windows, the AVD is saved in "c:\Users\<user>\.android\avd\<avd-profile-name>.avd". The AVD location is shown in AVD manager on top of the table.

Step 2b: Launch Emulator (or AVD)

You can test your AVD created in the previous step by launching the emulator.
Start the AVD Manager: From Eclipse's "Window" menu ⇒ run "AVD Manager" ⇒ Select a AVD (e.g., "Android44_qvga") ⇒ Click the "Start" button ⇒ The "Launch Options" dialog appears ⇒ Launch.
WAIT patiently! The emulator is VERY SLOW and takes a few MINUTES to launch. Wait for the "Android" logo to appears and disappear. If a lock appears, unlock the screen by dragging the lock to the right.
You can change the orientation (between portrait and landscape) of the the emulator via "ctrl-F11".
We typically create different AVDs to emulate different real devices, e.g., Android44_xga of resolution (1024x768 XGA).
DO NOT CLOSE the emulator. Just leave it running. Trust me, it takes time to re-start the emulator!!!

Step 3: Run the Android App

Before running the Android app, turn on the "Error Log" and "Progress" views: From "Window" ⇒ "Show View" ⇒ "Error Log". Repeat for "Progress" view.
Now, run the application by right-click on the "HelloAndroid" PROJECT NODE ⇒ "Run As" ⇒ "Android Application".
Be patient! It takes a few MINUTES to fire up the emulator (if the emulator has not been started)! Watch the "Progress" (for launch progess), Android's "Console" (for messages), and "Error Log" (for error messages).

[2014-03-20 18:20:26 - HelloAndroid] ------------------------------
[2014-03-20 18:20:26 - HelloAndroid] Android Launch!
[2014-03-20 18:20:26 - HelloAndroid] adb is running normally.
[2014-03-20 18:20:26 - HelloAndroid] Performing com.example.helloandroid.MainActivity activity launch
[2014-03-20 18:20:26 - HelloAndroid] Automatic Target Mode: using existing emulator 'emulator-5554'
                                     running compatible AVD 'Android44_phone'
[2014-03-20 18:20:26 - HelloAndroid] Uploading HelloAndroid.apk onto device 'emulator-5554'
[2014-03-20 18:20:30 - HelloAndroid] Installing HelloAndroid.apk...
[2014-03-20 18:20:39 - HelloAndroid] Success!
[2014-03-20 18:20:40 - HelloAndroid] Starting activity com.example.helloandroid.MainActivity on device emulator-5554
[2014-03-20 18:20:42 - HelloAndroid] ActivityManager: Starting: Intent { act=android.intent.action.MAIN
                                     cat=[android.intent.category.LAUNCHER] cmp=com.example.helloandroid/.MainActivity }

Once the emulator started, unlock the device by holding and sweeping the "lock" to the right (or left). It shall launch your Hello-world app, and displays "hello, world" on the screen with a title "Hello Android".
If your program is not launched automatically, try launching it from the "app menu" manually, after the emulator is started. Look for the icon marked "Hello Android".

Trying launching the app from "HOME" ⇒ "..." ⇒ Look for the icon "Hello Android".
Also try "HOME" ⇒ "..." ⇒ "MENU" ⇒ "Manage Apps" ⇒ Select "HelloAndroid" ⇒ Un-install.
NOTE: DO NOT CLOSE the emulator, as it really takes a long time to start. You could always re-run or run new applications on the same emulator.

Step 5: Run the Android App on Real Devices

To run the Android app on a real device (Android Phone or Android Pad):

1. Connect the real device to your computer. Make sure that you have the "USB Driver" for your device installed on your computer. You can find the "Google USB Driver" @ http://developer.android.com/sdk/win-usb.html, and Google's certified "OEM USB Drivers" @ http://developer.android.com/tools/extras/oem-usb.html. If you device is not certified there, good luck! It took me many hours to find a compatible driver for my cheap Android Pad.
2. Enable "USB Debugging" mode on your real device: from "Settings" ⇒ "Applications" ⇒ "Development" ⇒ Check "USB Debugging". This allows Android SDK to transfer data between your computer and your device.
   Also enable "Unknown source" from "Applications". This allows applications from unknown sources to be installed on the device.
3. You shall see the message "USB Debugging Connected" when you plugs the USB cable into your computer.
4. From Eclipse, right-click on the project node ⇒ Run As ⇒ Android Application.
5. The "Android Device Chooser" dialog appears. Select your real device (instead of the AVD emulator) ⇒ OK.
6. Eclipse ADT installs the app on the connected device and starts it.
7. You can unplug the device. The app has been installed. You can un-install the app via "Manage Apps".

(Advanced) Alternatively, you can also use the "adb" (Android Debug Bridge) tool (under "sdk\platform-tools") to install the ".apk" file ("HelloAndroid.apk") onto the real devices. The "sdk\platform-tools" directory must be included in the PATH.

// Change directory to <project-root>\bin, where the ".apk" is located
// -d option for real device
> adb -d install filename.apk
2402 KB/s (157468 bytes in 0.064s)
        pkg: /data/local/tmp/filename.apk
Success
  
> adb --help

This is the end of our Hello World tutorial in this post, maybe you will find it is weird because we don't type any coding in this application. That's because "Hello World" are created by default when we make an Android Application, so we don't even need to type the Hello World itself.
I will make a deepening of Hello World in next post so it will make you clear.

Read More

How To Install Android SDK

I began to learn and practice android programming about some month ago, but just recently began serious. lol.
I think Android have a bright future so it is worth it to learn this platform and try to make software in it. You can easily sell your android software on Play Store too, don't you?. :)  

1.  Introduction

Android is an Operating System for mobile devices developed by Google, which is built upon Linux kernel. Android competes with Apple's iOS (for iPhone/iPad), RIM's Blackberry, Microsoft's Windows Phone (previously called Windows Mobile), Sambian OS, and many other proprietary mobile OSes.

Android Platform

Android is based on Linux with a set of native core C/C++ libraries. Android applications are written in Java. However, they run on Android's own Java Virtual Machine, called Dalvik Virtual Machine (DVM) (instead of JDK's JVM) which is optimized to operate on the mobile devices.
The mother site for Android is http://www.android.com. For developers, visit http://developer.android.com to download the SDK, Android Training, API Guides and API documentation.

Don't get it? don't mind, I don't really got it too. lol. People say if you always practice it and working with it then you can understand it by yourself later. As long as you are understand about basic foundation then you can proceed to the next step.

Android Platform have many version depending to their release date. They always choose cake name as their code name version, don't ask me why they are choose that.

2.  How to Install Android Software Development Kit (SDK)

Installing all the necessary software needed for Android programming takes times - from 15 minutes to 3 hours - depending on your luck!!!
Android Software Development Kit (SDK) runs on top of Eclipse with Android Development Tool (ADT) Plugin; and JDK. In other words, you need

1. JDK,
2. Eclipse,
3. ADT Plugin for Eclipse, and
4. Android SDK.

Pre-Installation Check List

1. Before installing Android SDK, you need to install Java Development Kit (JDK). Read "How to install JDK".
2. Read the "Android Training" @ Android Developers (http://developer.android.com). There are three main menus: "Design", "Develop", and "Distribute". Choose "Develop", you can find the Android "Training", "API Guides", "Reference" and "Tools". For beginners, browse through the "Training".

Android SDK Installation Packages

There are two options to install Android SDK:

1. Install the "ADT Bundle", which includes everything you need to write Android apps (i.e., Eclipse + ADT Plugin for Eclipse + Android SDK). This requires a huge download of about 500MB. [However, the Bundle's SDK version is slightly behind. At the time of writing (end of March 2014), Bundle is 22.3, but SDK is 22.6.]
2. If you have already installed Eclipse, you could install the ADT plugin for Eclipse and Android SDK on top of the existing Eclipse.

2.1  Installation Option (1): Installing ADT Bundle (Recommended)

Step 1: Download the "ADT Bundle" Zip File

Goto "Android Developer" @ http://developer.android.com/index.html and select "Get the SDK".

• For Windows: Select "Download the SDK - ADT Bundle for Windows". Choose either "32-bit" or "64-bit" and "Download".
• For Mac: Expand "Download for Other Platforms" ⇒ Under "ADT Bundle", Select "Mac OS X 64-bit".

Step 2: Unzip

Unzip the download file into a folder of your choice, e.g., "d:\myproject" (for Windows) or "/Applications" (for Mac). Do NOT use a directory name containing space or special characters!!!

2.2  Installation Option (2): Installing on Existing Eclipse (Skip if you choose option 1)

Step 0: Check that Eclipse has been installed

Step 1: Download the Android SDK

Goto http://developer.android.com/sdk/index.html. ⇒ Expand "Download For Other Platforms" ⇒ Under "SDK Tools Only" ⇒ Download the appropriate SDK Tools for your operating platform. Choose the ZIP version, e.g., android-sdk_r22.6-windows.zip (104 MB).

Step 2: Install Android SDK

Unzip the downloaded file into a folder of your choice. Take note of the installed directory. Hereafter, I shall denote the android installed directory as <ANDROID_SDK_HOME>.

Step 3: Install Android Platforms and Add-ons via "SDK Manager"

The Android SDK comprises 2 parts: the "tools" and the "Platforms & Add-ons". The previous step installed the basic "tools", which are executables that support app development. The "Platforms & Add-ons" consist of ALL Android platforms (from Android 1.x to 4.x) and various Google Add-ons (such as Google Map API), which could be selectively installed.
Now, we have to setup our Android "Platforms & Add-ons".

1. Launch Android's "SDK Manager", which is responsible for managing the Android components. Launch the SDK manager by running (double-clicking) "SDK Manager.exe" under the Android installed directory.
2. In "Add Platforms and Packages", select your target Android platforms and add-ons packages. For novices, select "Android SDK Platform-Tools", and at least one (the latest) Android platform (e.g., Android 4.4 (API 19)) ⇒ "Install".

Step 4: Install Eclipse Android Development Tool (ADT) Plugin

I suppose that you have installed Eclipse.

1. Launch Eclipse.
2. Install Eclipse ADT: From Eclipse's "Help" menu ⇒ "Install New Software..." ⇒ In "Work with", enter https://dl-ssl.google.com/android/eclipse/ ⇒ Check ALL boxes ⇒ Next ⇒ Finish ⇒ Restart Eclipse to use ADT plugin.
3. Configure Eclipse ADT: From Eclipse's "Window" menu ⇒ Preferences ⇒ Android ⇒ In "SDK Location", select the Android SDK installed directory (that you have chosen in Step 2).

(Optional) Step 5: Setup PATH for utilities adb.exe and emulator.exe

To run the utilities "adb.exe" (Android Debug Brige) and "emulator.exe" from command-line, you need to include their path in the environment variable PATH. The "adb.exe" is kept in directory "<ANDROID_SDK_HOME>\platform-tools", while "emulator.exe" is kept in "<ANDROID_SDK_HOME>\tools". Add both directories to the PATH.
For Windows: Start "Control Panel" ⇒ "System" ⇒ (Vista/7) "Advanced system settings" ⇒ Switch to "Advanced" tab ⇒ "Environment variables" ⇒ Choose "System Variables" for all users (or "User Variables" for this login user only) ⇒ Select variable "PATH" ⇒ Choose "Edit" for modifying an existing variable ⇒ In variable "Value", APPEND your <ANDROID_SDK_HOME>\platform-tools directory (e.g., "d:\bin\android-sdk\tools"), followed by a semi-colon ';', IN FRONT of all the existing path entries. DO NOT remove any existing entry; otherwise, some programs may not run.
Add the "<ANDROID_SDK_HOME>\tools" directory to the PATH too.

Read More