Session Hijacking and Fixation

Forum Moderators: coopster

Message Too Old, No Replies

Session Hijacking and Fixation

ayushchd

8:04 am on Sep 10, 2007 (gmt 0)

Hi. I am sorry to drop in again but security issues are really becoming a factor of concern for me. I being only 15 years old have not been able to understand them easily.

Ok. My site is prevented from XSS and sql injection attacks.

But I am not sure about session hijacking and session fixation.

The following is my login script.

$result=mysql_query("select * from users where binary username='$username' and password='$password' and status = '1'");
if (!$result) {
echo mysql_error();
}
if(mysql_num_rows($result)!='0'){ // If match.
setcookie("user", $username, $time+3600);
session_register("password");
header("location:index.php");
}else{ // If not match.
$message=" Incorrect Login ";
}

How can I prevent myself from session fixation and session hijacking with the following login script.

I also think that the way of registering the session is wrong.
Should it be $_SESSION['password'] = $password;

Habtom

8:46 am on Sep 10, 2007 (gmt 0)

Take a look at the php.net Sessions and security [php.net] section and a pdf file about Session fixation [acros.si]

Habtom

ayushchd

12:23 pm on Sep 10, 2007 (gmt 0)

Thanks Habtom.

I had already gone through them. I did understand a bit but only a bit, so I came here.

Could you please brief it up for me?
And one simple example of how it can be prevented?

ayushchd

6:21 am on Sep 24, 2007 (gmt 0)

Any example of a script preventing session fixation and hijacking?
Please guys, its urgent.

Just a simple example..........

PHP_Chimp

12:07 pm on Sep 24, 2007 (gmt 0)

There is no 'simple' answer. I think you may be looking at this the wrong way.
If you think of sessions, in this case, like giving someone the keys to your house. How can you make sure that those keys are not used to break in and steal everything?

Session fixation is (if I continue with my analogy) leaving your keys sitting around for anyone to pick up. This may be leaving the cookies on someones computer or not checking that the session is still active or leaving the session id in a url on someone computer.

Ways you can stop people -

1 - you dont give out keys. Doesnt work for what you are looking to do, as you want to let people in.

2 - you collect keys when they leave. This means destroying the session and all set variables associated with it. You can destroy, unset and unregister sessions, destroying and unsetting variables is better. [uk.php.net...] has a lot of info on security.

3 - you can change the lock. PHP gives the person an ID then make sure that id is only allowed to be 'active' for a set period of time.

There are hundreds of other methods that you could use to stop people doing malicious things with your 'keys'.

Depending on what level of security you are after depends on how much you need to bother. If you are protecting customers financial records like a bank then they use more than just no. 2 and 3 to stop people getting in. If you have a few photos of friends on a site and want them to be able to look but no one else then unsetting and destroying your session when they finish is probably all you need to do (if that ;)).

ayushchd

1:22 pm on Sep 24, 2007 (gmt 0)

Thanks. That was useful.

In my site, the only time I am using sessions is when they are logging in, and i store the password in the session.

I just don't want my site to vulnerable to session hijacking and session fixation.

So, I want to securely register the session which will contain the password and want the other pages to check if the session has been registered or not, if not, redirect to index.

Is there any example on the net about it?