I have read quite a few articles on "fingerprinting " a user when they
start a session. Chris Shiflett has a good article here: http://shiflett.org/articles/the-truth-about-sessions
However, this part of his (and all the other similar articles) doesn't
make sense to me.
session_start() ;
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
$_SESSION['fingerprint'] = md5($fingerprin t . session_id());
"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGEN T'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinting seems to advocate adding a seed.
I am confused because as far as I can tell, every subsequent request the
user makes really only depends on $_SERVER['HTTP_USER_AGEN T']. If an
attacker can successfully spoof this value, what does any of the
secretstuff matter? In order to check that we have a "valid" browser
after the initial saving in the session, we will have to re-supply the
seed and md5 representation after every submission of the user agent.
Given the above code, the only scenario I can envision in which we can
successfully match up this info would be something along the lines of:
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
if(md5($fingerp rint) != $_SESSION['fingerprint'])
{
// prompt for password
}
called on each page, which to me doesn't really add any security since
we are providing what secretstuff is on every page.
Sorry for the length, and thanks in advance. 7  2743 
Marcus wrote: I have read quite a few articles on "fingerprinting " a user when they
start a session. Chris Shiflett has a good article here:
http://shiflett.org/articles/the-truth-about-sessions
However, this part of his (and all the other similar articles) doesn't
make sense to me.
session_start() ;
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
$_SESSION['fingerprint'] = md5($fingerprin t . session_id());
"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGEN T'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinting seems to advocate adding a seed.
I am confused because as far as I can tell, every subsequent request the
user makes really only depends on $_SERVER['HTTP_USER_AGEN T']. If an
attacker can successfully spoof this value, what does any of the
secretstuff matter? In order to check that we have a "valid" browser
after the initial saving in the session, we will have to re-supply the
seed and md5 representation after every submission of the user agent.
Given the above code, the only scenario I can envision in which we can
successfully match up this info would be something along the lines of:
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
if(md5($fingerp rint) != $_SESSION['fingerprint'])
{
// prompt for password
}
called on each page, which to me doesn't really add any security since
we are providing what secretstuff is on every page.
Sorry for the length, and thanks in advance.
Marcus,
Did you ask him about it? He should be able to justify his position.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Marcus said the following on 14/11/2005 08:10: I have read quite a few articles on "fingerprinting " a user when they
start a session. Chris Shiflett has a good article here:
http://shiflett.org/articles/the-truth-about-sessions
However, this part of his (and all the other similar articles) doesn't
make sense to me.
session_start() ;
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
$_SESSION['fingerprint'] = md5($fingerprin t . session_id());
"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGEN T'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinting seems to advocate adding a seed.
I agree. Equally, I don't see what benefits using md5() gives at all.
Why not just store $_SERVER['HTTP_USER_AGEN T'] in $_SESSION directly?
--
Oli
>However, this part of his (and all the other similar articles) doesn't make sense to me.
session_start( );
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
$_SESSION['fingerprint'] = md5($fingerprin t . session_id());
"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGEN T'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinti ng seems to advocate adding a seed.
Consider other threats than the user. If someone manages to snoop
your session data (say, an employee of your hosting company), the
extra secret stuff makes the fingerprint a bit harder to interpret
and it's harder for that person to endanger your users.
I think that argument is a bit weak, but it's a real possibility.
Gordon L. Burditt
Gordon Burditt said the following on 14/11/2005 15:17: However, this part of his (and all the other similar articles) doesn't
make sense to me.
session_start ();
$fingerprin t = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
$_SESSION['fingerprint'] = md5($fingerprin t . session_id());
"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGEN T'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprintin g seems to advocate adding a seed.
Consider other threats than the user. If someone manages to snoop
your session data (say, an employee of your hosting company), the
extra secret stuff makes the fingerprint a bit harder to interpret
and it's harder for that person to endanger your users.
I think that argument is a bit weak, but it's a real possibility.
It's possible, but if someone has that level of access to your data,
then you're pretty much screwed anyway, I would have imagined...
If they can access your session data folder, then it's probably not
going to be much of a challenge for them to access your scripts and do
anything they want.
--
Oli
Oli Filth wrote: Gordon Burditt said the following on 14/11/2005 15:17:
However, this part of his (and all the other similar articles)
doesn't make sense to me.
session_start() ;
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
$_SESSION['fingerprint'] = md5($fingerprin t . session_id());
"With a fingerprint that is difficult to guess, little is gained
without leveraging this information in an additional way than
demonstrated thus far."
I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGEN T'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinting seems to advocate adding a seed.
Consider other threats than the user. If someone manages to snoop
your session data (say, an employee of your hosting company), the
extra secret stuff makes the fingerprint a bit harder to interpret
and it's harder for that person to endanger your users.
I think that argument is a bit weak, but it's a real possibility.
It's possible, but if someone has that level of access to your data,
then you're pretty much screwed anyway, I would have imagined...
If they can access your session data folder, then it's probably not
going to be much of a challenge for them to access your scripts and do
anything they want.
Thanks guys, I will try and email Chris and see what he says. I emailed
him once before with a question about an article of his and he was very
helpful in his response, but it took a long time - I'm sure he gets
deluged with emails every day for the numerous articles he writes. In
the meantime, am I performing my check right? That is my biggest
confusion... if I am performing the
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGEN T'];
if(md5($fingerp rint) != $_SESSION['fingerprint'])
{
// prompt for password
}
check correctly, I see no real reason to use the full fingerprint (other
than what Gordon pointed out). However, if I am missing something here
and should be performing the check some other way, I could definitely
see the benefit in using some sort of padding to create a fingerprint
that does not simply contain the user agent. Thanks!!!
I think I just figured out the reasoning...
Oli, in response to what you said, I believe we don't want to just store
the user agent in the session in plain text because if an attacker were
to hijack the session, he would easily know what user agent to spoof in
order to trick the system into thinking he is the legit user.
Even with the md5 representation, I don't think it would be *that*
difficult for an attacker who was motivated to supply the correct user
agent for a compromised session, although obviously it would be more
difficult than plain text.
I believe the reason for padding the fingerprint with extra data is so
that if an attacker does in fact hijack a session, it would be tougher
for him to reverse engineer what the user agent is from the saved
fingerprint (as opposed to plain text or the md5 of just the browser).
Someone please correct me if I am wrong, but as far as I know md5 is a
one way function, i.e. we can't reverse it and come back to our original
string.
Marcus said the following on 14/11/2005 18:38: I think I just figured out the reasoning...
Oli, in response to what you said, I believe we don't want to just store
the user agent in the session in plain text because if an attacker were
to hijack the session, he would easily know what user agent to spoof in
order to trick the system into thinking he is the legit user.
Even with the md5 representation, I don't think it would be *that*
difficult for an attacker who was motivated to supply the correct user
agent for a compromised session, although obviously it would be more
difficult than plain text.
I believe the reason for padding the fingerprint with extra data is so
that if an attacker does in fact hijack a session, it would be tougher
for him to reverse engineer what the user agent is from the saved
fingerprint (as opposed to plain text or the md5 of just the browser).
But a hacker doesn't have access to the saved fingerprint, because it's
saved server-side. It never leaves the server. So encrypting it, etc. is
pointless.
The only exception to this is if the hacker has actually somehow got
access to the session data folder on the server, but if he has that
level of access then you're buggered anyway.
Regardless of how the user-agent string is stored server-side, the input
to the session "validation " routine is simply the plain user-agent string.
Either the hacker knows the user-agent-string or he doesn't, so IMO what
happens behinds the scenes is completely irrelevant.
i.e. if you have some string X, and want to validate it against string
Y, it doesn't matter whether you do:
if (X == Y) ...
or:
if (f(X) == f(Y)) ...
Someone please correct me if I am wrong, but as far as I know md5 is a
one way function, i.e. we can't reverse it and come back to our original
string.
This is true.
--
Oli This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Sims |
last post by:
Hi,
if i use...
// php
$info = getenv("HTTP_USER_AGENT");
// I noticed that Mozzila and Netscape <6(?) both use the same Agent.
// so i was thinking of
if (preg_match("/Mozilla/i", $info)) {
|
by: ruggierorizzi |
last post by:
Hi again,
what is exact sense of $_SERVER output?
Tnx, bye
|
by: Sharon |
last post by:
Can I use request.servervariables("HTTP_USER_AGENT") to determine if the
user has Firefox or Internet Explorer? Is the return string differentiated
enough?
Thanks for any input.
|
by: juglesh |
last post by:
are
$_SERVER in php
and
navigator.userAgent in js
the same thing? always?
I just need to determine if the browser is IE5+ on win32 (.png issues).
|
by: patelxxx |
last post by:
When I run the code below, the $ENV{'HTTP_USER_AGENT'} is coming up blank, I'm saved the file under .pl and .cgi extensions and still I can't display the browser name.
For this reason the code below goes straight to the else statement, In actual fact I'm using IE.
Where I'm I going wrong?
#!/usr/bin/perl
print "Content-type:text/html\n\n";
| | |
by: Gordon |
last post by:
As part of a data collecting system (basically a system that collects
submissions from forms), I was planning on logging a bit of data about
the submitting user agent for the purposes of spotting things like
multiple submissions.
We don't want to block multiple submissions altogether, we just want
to be able to easily spot them.
My idea was to use the $_SERVER fields to get some data about the user
agent, md5 the collected data and...
|
by: =?Utf-8?B?Yml0YnVja2V0?= |
last post by:
hi:
i have an asp.net 1.1 app. when i visit the site with my normal browser (ie7
on xp), i get 'default' info in the request.browser object (Type = Unknown,
Name = Unknown, Version = 0.0, etc.). when i visit with firefox or safari,
the results come back as expected. i've also used 'fiddler' to set my user
agent string to ie7 and 8 and, here also, success.
as far as i can guess, it seems that my user agent string gets 'choked' upon...
|
by: kailashchandra |
last post by:
<html>
<head>
<title>PHP Test</title>
</head>
<body>
<?php echo $_SERVER; ?>
</body>
</html>
|
by: Moiseszaragoza |
last post by:
I am wondering what is the equivalent of Request.ServerVariables("HTTP_USER_AGENT") in C#?
Thanks
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
