Isomerizer Posted September 25, 2011 Share Posted September 25, 2011 (edited) So as most of you are aware; SESSION hijacking is becoming more common & easier to do. With ready made tools to allow even the most novice users attempt it. http://codebutler.com/firesheep So I ask myself, whats the best way to stop it? The methods I've implemented so far are: - Login IP compared with current IP. $IP = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']); if (preg_match('/[^0-9\\.]/i', $IP)) { die('Error - Invalid IP'); } // valid IP $agent = (is_string($_SERVER['HTTP_USER_AGENT'])) ? $_SERVER['HTTP_USER_AGENT'] : ''; if ($last['lastIP'] != $IP || $last['user_agent'] != $agent) { // IP/user_agent changed instantly, SESSION HIJACK ? ($last: latest IP/agent fetched from database - record IP/agent when user authenticates) die('Your IP/Browser has suddenly changed. Please close your browser & re-login...'); } - Login agent compared with current agent (same method as above, but compare $_SERVER['HTTP_USER_AGENT']). - Encrypt the SESSION content, but then again... seems pointless. It can't be edited, as it's server side. - Compare with $_COOKIE (client side), setcookie on authenticate. if ($_COOKIE['agent'] != md5($agent . session_id(). "3a2b1c")) { die('Your cookie configuration is incorrect. Please re-login to fix this.'); } So I may have only scraped the bottom of the barrel here, but what are your methods you use to secure your SESSION's from being hijacked? Edited September 26, 2011 by Isomerizer Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted September 25, 2011 Author Share Posted September 25, 2011 (edited) Hey Iso, how are you, buddy? Anyway: 1. Do not use $_SERVER['HTTP_X_FORWARDED_FOR'] - easy to spoof. 2. Ereg/i is not deprecated - use preg_match instead. You could always lock it down, as you have, but you pretty much have the blocks in place that I can think of, without looking into it too much. session_id() is different in every browser, so maybe log that too - if it changes, set both sides of it to destroy all sessions, so that way, one has to log back in which would mean they are the rightful account owners - the others will just be threw out unless the account owner goes back to the site before. Thanks for the tips, I'll be sure to use preg_match. What about hashing session_id() & salt into a COOKIE, then comparing. Maybe harder for the jacker to identify, have you tried it? (Choosing a cookie over a database, I think is securer in this instance as its stored on the client. Making it harder for the jacker to obtain the session_id(), they'd need the cookie to dehash it. IF they realize the prevention method.) Thoughts? Edited September 25, 2011 by Isomerizer Quote Link to comment Share on other sites More sharing options...
Dave Posted September 25, 2011 Share Posted September 25, 2011 Just set a hash within the database and also store it alongside the database in some form of session or cookie. Then cross reference it like you've done. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.