82012017 Davia Blakemore » PHP Session Hacking + SUBSCRIBE TO THE FEED... » POSTS (OMMENTS, David Blakemore ‘The life of a PHP Web Developer Enter search keywords here| Go More About Me... My name, as you can probably already tell, is David Blakemore, and I am a 25 year old PHP developer from Telford, Shropshire. I have developed a number of web sites and tools and am always looking to take on new projects. read more * HOME As well as freelance and project work, I have had two full time development positions. I currently work for Phase& Web Design, a subsidiary company of Namesco Ltd. + IMAGES * CONTACT * SITEMAP PHP Session Hijacking Posted on 12 May 2008 Tags: Development, PHP, Security Continuing on from session regenerate ID, this article talks about steps you can take to further improve session security. We've already seen the benefits that session_regenerate_id() can offer, but what if someone hijacks the session rather than fixing it. What is Session Hijacking Session Hijacking is where an attacker manages to get hold of your session cookie, thus obtaining your session ID. Ifa malicious attacker manages to hijack your session ID, they can instantly get access to your session and potentially private data. There are several ways in which an attacker can do this, but they all result in the same thing... a backdoor into your session. What can be done? The best way to improve the security of a session is to introduce some kind of unique token (other than the session ID) that can be used to validate the user. For example, we can use the users user agent string as a token. This way, we can use check the token to see if it matches what we're expecting. if it doesn’t then it could fle:tiDSourcocodesiWebiPHP/amp%420stack%s20works/TigrIT-Frfiylzend%s200n%20Kausarishoob%20vi_upr2CElsecur fnalsessionineed2.ntm 1582012017 Davia Blakemore » PHP Session Hacking potentially be an attacker. ‘There are other variables you could use to set up a token, but be careful not to use non-unique information, For instance, don’t use IP addresses as tokens, as multiple users could come from a single IP address, or a single user could have multiple IP addresses. In the above example, the user agent string is captured when the session is created and stored in the token session variable. Now, the user can happily browse the site. If an attacker manages to hijack the session ID and tries to gain access to the session, they won't necessarily have the same user agent string, so they'll be prompted for a login. Obviously, this still isn’t ideal, as the hijacker could be on the same user agent, or fake the expected user agent. ‘We could make this more secure by introducing some hashing. In this example, we're creating an MDS hash of the user agent string and a random string (salt). Now, the hijacker will have an even harder time, as not only will they have to try and discover the expected user agent, they will also need to guess the salt used to make the MDS hash (which is much harder), And you could go on. You can add mote validation checks or create more tokens. The more obstacles you put up, the harder you make it for attackers. Again, this is not the be-all and end-all of PHP Session security, but by implementing useful code like this, you can make your websites much more secure. Ifyou have any questions or comments about Session Security, please feel free to leave a comment or contact me, One Response to “PHP Session Hijacking” 1, Discover Says: May 15th, 2008 at 2:03 am I was searching for \’Discover Log In\’ at google and found your post named \’ PHP Session Hijacking)’ in search results. Not very relevant result, but still interesting to read. Leave a Reply Name (required) Mail (will not be published) (required) Website fle:tfDSourcocodesiWebiPHP/amp%420stack%s20works/TigrIT-Frfiylzend%200n%20Kausarishoob%20vi_upr2CElsecurfnalsessionineed2.ntm 3582012017 Davia Blakemore » PHP Session Hacking ‘Submit Comment Other blogs I read... Professional Web Development Blog The online blog of James Morris Glued To The Box LATEST POSTS fle:tiD:SourcocodesiWebiPHP/amp%420stack%s20works/TigrIT-Frfiylzend%s200n%20Kausarishoeb%20i_upr2CElsecur fnalsessionineed2.ntm 4582012017 Davia Blakemore » PHP Session Hacking PHP Permisson Problem on PHP Session Hijackin JQuery Tablecloth Mouseout Exrors PHP LUHN Cheek Algorithm Comedy Flop RECENTCOMMENTS Host: [ searched for'Site Php Host: [searched for Website Design guitar scales: [...] ??2star power???, no 2-player guitar scales modes: [...] ??2star power???, no 2-player i dread having: [...) problem, don??t despair, it?s, POPULAR POSTS « XBox 360 Red Ring of Death (7) + PHP Regenerate Session ID (6) «Linux Guitar Hero Altemative (3) * PHPS iacking (1) MY ARCHIVE Development (5) Gaming (2) Homour (1) LavaScript (1) AQuery (1) Linux (1) PHP (4) Security (2) Server (1) OTHER LINKS Development Blog Documentation Plugins Suggest Ideas Support Forum Themes WordPress Planet Online blog of David Blakmore, powered by Wordpress. Site content ©David Blakemore 2008 fle:tiD:SourcocodesiWebiPHP/amp%420stack%s20works/TigrIT-Frflylzend%200n%20Kausarishoeb%20i_upr2CElsecur_nalsessionineed2.ntm 55