开发者

Session Management and Security

问答 作者:

This is my current session management:

if(!isset($_SESSION["user"]["authenticated"]) || 
    !$_SESSION["user"]["authenticated"])
  redirect("login.php");

if($_SESSION["user"]["browserHash"] != md5($_SERVER["HTTP_USER_AGENT"]))
  redirect("logout.php?err=browser_mismatch");

if($_SESSION["user"]["IPHash"] != md5($_SERVER["REMOTE_ADDR"]))
  redirect("logout.php?err=ip_mismatch");

if(!isset($_SESSION["user"]["nonce"]) || 
  $_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
  $nonce = md5(mt_rand() . time() . $_SERVER["REMOTE_ADDR"]);
  $_SESSION["user"]["nonce"] = $nonce;
  setcookie("SITE_nonce", $nonce, (60 * 15), "/path");
}
else
  redirect("logout.php?err=nonce_mismatch");

I am aware of changing IP issues an plan on using only the first 3 parts of the IP address. But what I am concerned about is the attacker is able to sniff headers and such. Then I won't be protected right? If I were an attacker within the victims network, I would simply make a quick GET request after I sniff one response header and I will get the regenerated nonce. Is there really a way to prevent this?

If it wouldn't be too much, I was also hoping on getting an insight on my approach. How can this be circumvented? Am I missing something big开发者_开发问答?

Your approach with recreating the nonce will fail if the user makes a new request after you, on the serverside, updated the nonce, but before the user receives the new cookie.

this happens for example if the user hit's F5 after a failed page load or if they open a lot of links in new windows/tabs.

Drop the idea for the IP-check. The IP address can change completely for many reasons. Think about load balancing proxies or mobile users switching roaming area for example.

A user-agent change could be detected and you could ask for a their password, but having them relogin (and restart what they where doing) is not very user friendly.

All in all, you are trying to protect your system from session stealing, with a session based on a cookie value. You need SSL for this, all other options will do little in terms of security. A cookie based session token is the currently accepted method for managing sessions, and deemed safe enough.

Also, CSRF attack are way more dangerous than session hijack attacks, and you do not stop those with what you propose. So my advice would be: focus on that area first.

To prevent sniffing of headers, you need to secure the connection over SSL/TLS.

继续阅读:phpsecuritysession-hijackingsession-management

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9