开发者

Dealing with session hijacking in PHP

Reading through the many questions regarding session hijacking here on Stackoverflow, I've gathered that the only 'solution' to validating a users session is by checking the user agent, which is such a weak layer of protection that I don't even bother to implement it.

So, I was wondering开发者_如何学编程 what solutions you guys have implemented? Are you even using PHP's native sessions or is there a more secure solution?


You don't need the session id in order to hijack a session. An XSS attack can go 1 of 2 ways. The most common is to read document.cookie and send it to a remote server (this request will also contain the victims USER_AGENT so checking this value is a complete a total waste of time as it doesn't prevent any attack what so ever). A cool security method developed by Microsoft is called HTTPOnly Cookies, and most browsers support this security feature.

HTTPOnly Cookies and checking the client's ip address doesn't stop all session hijacks. In fact if the attacker has an XSS vulnerability he can just forge requests using XHR on the victims browser and there for wouldn't need to know the value of the cookie.

At the end of the day in order to stop session hijacking you need to plug the vulnerabilities in your web application. Most importantly you need to prevent "Session Riding" which is also known as CSRF. You also need to prevent XSS vulnerabilities, Acunetix free edition is a good tool for finding them. . Last but certinly not least you must read the OWASP A3: Broken Authentication and Session Management. A common violation of OWASP A3 is that people don't use HTTPS for the entire session. At no point can you spill the value of the cookie over http, this has the exact same impact as if you spilled the username/password. If a hacker is sniffing the traffic he will have immediate access to your site.


Simply log the user out if the request has a different IP and/or hostname. As for people with dynamic IP's - well, logging in again is not that much of a problem.

Obviously the "right" way of dealing with it is implementing SSL.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜