Protecting against SESSION hijacking

Forum Moderators: coopster

Message Too Old, No Replies

Protecting against SESSION hijacking

from last edition PHP Cookbook

henry0

6:07 pm on May 2, 2007 (gmt 0)

I was reading the last PHP cookbook
and decided to test an anti session hijacking script from the book
two questions:
A) I am not sure that I grab the concept loud and clear :) logic?
passing session ID via cookies only, generates a session token passed via URL, so requests with a valid session ID and that token may access the session

B) It give an error "unexpected string at line 5 which is $tokenstr = (str) date('W') . $salt;

<<<<<<<<<<
ini_set('session.use_only_cookies', true);
session_start();

$salt = 'YourSpecialValueHere';
$tokenstr = (str) date('W') . $salt;
$token = md5($tokenstr);

if (!isset($_REQUEST['token']) ŚŚ $_REQUEST['token']!= $token) {
// prompt for login
exit;
}

$_SESSION['token'] = $token;
>>>>>>>>>>>>>

thanks

eelixduppy

6:28 pm on May 2, 2007 (gmt 0)

The error seems like you are using the wrong 'cast'. Try this:


$tokenstr = (string)date('W').$salt;

date() returns a string anyway, so you don't need the cast in there so you can just omit it:


$tokenstr = date('W').$salt;

henry0

6:32 pm on May 2, 2007 (gmt 0)

Thank you
But how do you "read" the logic?

eelixduppy

9:17 pm on May 2, 2007 (gmt 0)

Not quite sure. It sounds ok, but I'm not too knowledgeable about session hijacking prevention techniques. There is, however, a nice pdf about session fixation [acros.si] that php.net links to. It contains some really great information. Maybe that will guide you to understanding the method provided in your book.

Good luck :)

henry0

9:37 pm on May 2, 2007 (gmt 0)

I made it working by moving this:
<<<<<
$_SESSION['token'] = $token;
if (!isset($_REQUEST['token']) ŚŚ $_REQUEST['token']!= $token) {
// prompt for login
exit;
}
>>>>>
to the receiving page

also added below $_SESSION['token']=$token;
output_add_rewrite_var ('token', $token);
acts as if we were hard coding
.php?$token in an URI

last use $_get
to grab $_token from the URI
and compare the token caried with a SESSION to the token carried by the URI

It kind on making sense but I would like confirmation from the "high spirits"

[edited by: henry0 at 9:49 pm (utc) on May 2, 2007]

henry0

9:45 pm on May 2, 2007 (gmt 0)

Great link about "fixation"
but hijacking is when an attacker may access another person session.

And fixation:
is an attack that tricks the user into a seesion ID chosen by the attacker

The more you learn about defense the more you type.
Are attacks the result of keyboard factories seeking business? :)

eelixduppy

9:49 pm on May 2, 2007 (gmt 0)

hehe

I've sounded silly in posts before, but gah!

I told you I don't know much about session security ;) Guess that means I'll have some reading to do tonight!

Apparently there are some classes that already do this for you: phpclasses [google.com].

[edited by: eelixduppy at 9:51 pm (utc) on May 2, 2007]

henry0

9:51 pm on May 2, 2007 (gmt 0)

ho no, no more that what I did before editing
don't know if you did read it
but it was 100% incorrect!

henry0

9:57 pm on May 2, 2007 (gmt 0)

Guess we'll be both doing some reading
this sounds very promissing
good finding!