Let me talk briefly about how I manage user autentication:
1) As usual, I've a form with User & Passwor
2) If the data matches the Database (users table), I create a Sesion ID
(sessions table), and pass back this info to the user on every link of
the page retieved (SessionID parameter). I set up a cookie in the
client's machine as well
3) Every time the user clicks a link, I read the SessionID parameter,
comparing it to the sessions table data, to see whether he is logged or
not. I also read if he has the cookie.
I think through this kind of procedure is hard to hijack an user
session.
What do you think?
regards - jm 7 1477 ju*******@gmail.com wrote: I think through this kind of procedure is hard to hijack an user session. What do you think?
You can test this yourself by faking the HTTP request send to the server
from another machine using a valid session ID.
Just use PHP's socket functions or a HTTP client like wget to send something
like:
GET / HTTP/1.0
Host: yourhost
Cookie: SessionId=<sessionid>
When this succeeds, it means that your sessions aren't binded to a specific
host, and you should revise your approach.
JW
Janwillem Borleffs wrote: ju*******@gmail.com wrote: I think through this kind of procedure is hard to hijack an user session. What do you think?
You can test this yourself by faking the HTTP request send to the server from another machine using a valid session ID.
Well, I already tried it, and it doesn't work at all. I mean, only
pasting the url in the browser's address bar of another computer, the
user can't authenticate, beacause the cookie isn't there, so in some
way I could say that it is working well.
What I was wondering is: Is there any (simple/easy) way to hijack a
cookie remotely? (to be afraid of) ju*******@gmail.com wrote: What I was wondering is: Is there any (simple/easy) way to hijack a cookie remotely? (to be afraid of)
When you have the session ID, all you need to do is to pass it as a cookie
header (not from a URL) to fake the call.
With wget, I think it's done with something like:
wget --header="Cookie: SessionID=sessionid" URL
JW
Janwillem Borleffs wrote: ju*******@gmail.com wrote: What I was wondering is: Is there any (simple/easy) way to hijack a cookie remotely? (to be afraid of)
When you have the session ID, all you need to do is to pass it as a cookie header (not from a URL) to fake the call.
I forgot to mention that the cookie's value isn't the same as the
session ID value...
It's something like that:
$val = sha1($ID_session + $HiddenStringWhichNeverLeaveTheServer) ju*******@gmail.com wrote: Janwillem Borleffs wrote:
ju*******@gmail.com wrote:
I think through this kind of procedure is hard to hijack an user session. What do you think?
You can test this yourself by faking the HTTP request send to the server from another machine using a valid session ID.
Well, I already tried it, and it doesn't work at all. I mean, only pasting the url in the browser's address bar of another computer, the user can't authenticate, beacause the cookie isn't there, so in some way I could say that it is working well.
What I was wondering is: Is there any (simple/easy) way to hijack a cookie remotely? (to be afraid of)
Not unless you can intercept the packets somewhere between the server and the
client, or have access to the server file system (assuming you are using the
default session handler in PHP).
The session id is a random string of 32 alphanumeric chars - virtually
impossible for anyone to guess.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote: ju*******@gmail.com wrote:
What I was wondering is: Is there any (simple/easy) way to hijack a cookie remotely? (to be afraid of)
Not unless you can intercept the packets somewhere between the server and the client, or have access to the server file system (assuming you are using the default session handler in PHP).
I'm not using the default session handler.
I pass the session ID as
url_to_my_file.php?session=VALUE,
where VALUE is created from:
VALUE = md5(uniqid(rand(), true));
CookieValue = sha1(VALUE + HiddenString);
When I receive a client request, I lookup for the session AND the
cookie's value to see whether the client is logged or not.
It seems to me pretty safe, but I'm not an expert at all... ju*******@gmail.com wrote: Jerry Stuckle wrote:
ju*******@gmail.com wrote:
What I was wondering is: Is there any (simple/easy) way to hijack a cookie remotely? (to be afraid of)
Not unless you can intercept the packets somewhere between the server and the client, or have access to the server file system (assuming you are using the default session handler in PHP).
I'm not using the default session handler.
I pass the session ID as
url_to_my_file.php?session=VALUE,
where VALUE is created from:
VALUE = md5(uniqid(rand(), true));
CookieValue = sha1(VALUE + HiddenString);
When I receive a client request, I lookup for the session AND the cookie's value to see whether the client is logged or not. It seems to me pretty safe, but I'm not an expert at all...
It's not really any safer than just using the default session handler - which,
as I said before, is fairly safe but not foolproof. However, neither is your
method foolproof.
And if you're doing something which requires that much security, you should be
using SSL anyway - in which case the session id is encrypted anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate...
|
by: Erik Johnson |
last post by:
There are a lot of things about PHP I was not too keen on and hence why
my company is primarily doing Python these days, but one thing I was quite
impressed with was the ease with which it provided...
|
by: Abhilash.k.m |
last post by:
This is regarding the session management using Out of
proc session management(SQL SERVER). Among the samples
below which one is better to set the session?
1. There are 20 session...
|
by: John A Grandy |
last post by:
for high traffic public websites , what are the proven options for
session-state storage & management ?
is an out-of-process state-server generally preferred over a sql-server ?
what are the...
|
by: James Hunter Ross |
last post by:
We love the ASP.NET "Session" concept and make good use of it. But, getting
close to deployment we find we lose sessions far too often, probably due to
application restarts, etc. We hope to...
| |
by: BillE |
last post by:
When a user opens a new IE browser window using File-New-Window the
integrity of an application which relies on session state is COMPLETELY
undermined. Anyone who overlooks the fact that...
|
by: rug |
last post by:
Hello,
I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read...
|
by: =?Utf-8?B?YW5vb3A=?= |
last post by:
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page...
|
by: knyghtfyre |
last post by:
Hello,
My company is developing a rather large application with .NET 2.0. We
are expanding to a server farm and are in the process of converting
our application to use an out-of-process session...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |