Jump to content
MakeWebGames

Session Hi-Jacking


Isomerizer

Recommended Posts

So as most of you are aware; SESSION hijacking is becoming more common & easier to do.

With ready made tools to allow even the most novice users attempt it.

http://codebutler.com/firesheep

So I ask myself, whats the best way to stop it?

The methods I've implemented so far are:

- Login IP compared with current IP.

 

$IP = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
if (preg_match('/[^0-9\\.]/i', $IP)) { die('Error - Invalid IP'); }  // valid IP
$agent = (is_string($_SERVER['HTTP_USER_AGENT'])) ? $_SERVER['HTTP_USER_AGENT'] : '';

if ($last['lastIP'] != $IP || $last['user_agent'] != $agent) { // IP/user_agent changed instantly, SESSION HIJACK ? ($last: latest IP/agent fetched from database - record IP/agent when user authenticates)
    die('Your IP/Browser has suddenly changed. Please close your browser & re-login...');
}

 

- Login agent compared with current agent (same method as above, but compare $_SERVER['HTTP_USER_AGENT']).

- Encrypt the SESSION content, but then again... seems pointless. It can't be edited, as it's server side.

- Compare with $_COOKIE (client side), setcookie on authenticate.

 

if ($_COOKIE['agent'] != md5($agent . session_id(). "3a2b1c")) { die('Your cookie configuration is incorrect. Please re-login to fix this.'); }

 

So I may have only scraped the bottom of the barrel here, but what are your methods you use to secure your SESSION's from being hijacked?

Edited by Isomerizer
Link to comment
Share on other sites

Hey Iso, how are you, buddy?

Anyway:

1. Do not use $_SERVER['HTTP_X_FORWARDED_FOR'] - easy to spoof.

2. Ereg/i is not deprecated - use preg_match instead.

You could always lock it down, as you have, but you pretty much have the blocks in place that I can think of, without looking into it too much.

session_id() is different in every browser, so maybe log that too - if it changes, set both sides of it to destroy all sessions, so that way, one has to log back in which would mean they are the rightful account owners - the others will just be threw out unless the account owner goes back to the site before.

Thanks for the tips, I'll be sure to use preg_match.

What about hashing session_id() & salt into a COOKIE, then comparing. Maybe harder for the jacker to identify, have you tried it?

(Choosing a cookie over a database, I think is securer in this instance as its stored on the client. Making it harder for the jacker to obtain the session_id(), they'd need the cookie to dehash it. IF they realize the prevention method.)

Thoughts?

Edited by Isomerizer
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...