1. For example, without SSL, If I capture my local LAN packet and
scanned the SESSION ID, is it possible to hijack the session?
2. So any recommendation for web apps session handling without SSL?
Thanks.
16  5637 
howa napisał(a):
1. For example, without SSL, If I capture my local LAN packet and
scanned the SESSION ID, is it possible to hijack the session?
unfortunately yes
2. So any recommendation for web apps session handling without SSL?
- use very short session life time
- force user to login again before doing something important
--
Wiktor Walc http://phpfreelancer.net
- use very short session life time
- force user to login again before doing something important
I found that many Yahoo! or Google only use SSL during authentication
only, the rest of the services are provided by plain HTTP only...
really interested in how to prevent session hijacking, especailly from
neighbor hosts with the SAME IP, really difficult...
> - use very short session life time
> - force user to login again before doing something important
And change session whenever you change user rights (i.e., after a
successful login). PHP's function session_regenerate_id() is suitable
for this.
Search the net for "session hijacking" and "session fixation". There is
a lot of info available...
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V. http://www.kratz.nl/
iktorn wrote:
howa napisał(a):
>1. For example, without SSL, If I capture my local LAN packet and
scanned the SESSION ID, is it possible to hijack the session?
unfortunately yes
>2. So any recommendation for web apps session handling without SSL?
- use very short session life time
- force user to login again before doing something important
How about caching the initiating IP during session creation? Unless
potential hijacker is behind same NAT box, he will have have different
IP and should not be able to hijack.
Roman
Roman wrote:
iktorn wrote:
>howa napisał(a):
>>1. For example, without SSL, If I capture my local LAN packet and
scanned the SESSION ID, is it possible to hijack the session?
unfortunately yes
>>2. So any recommendation for web apps session handling without SSL?
- use very short session life time
- force user to login again before doing something important
How about caching the initiating IP during session creation? Unless
potential hijacker is behind same NAT box, he will have have different
IP and should not be able to hijack.
Roman
And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
>
And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
Hi,
You made a very good point, never thought of IP address can change
with every request...
How about only rely on the first 3 part, e.g. 202.92.94.xxx (drop the
last part) ?
..oO(howa)
>And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
You made a very good point, never thought of IP address can change
with every request...
How about only rely on the first 3 part, e.g. 202.92.94.xxx (drop the
last part) ?
Still not reliable. The really big companies and providers usually have
class B or even class A networks, which means that the last two or three
octets may change. Even entirely different IPs are possible, so relying
on that is _never_ reliable.
Micha
Michael Fesser wrote:
Still not reliable. The really big companies and providers usually have
class B or even class A networks, which means that the last two or three
octets may change. Even entirely different IPs are possible, so relying
on that is _never_ reliable.
Indeed, my workplace isn't a big company -- it's a medium charity, with
fewer than 100 employees -- but we have three ADSL lines with two
different ISPs, providing us with some redundancy. Each ADSL line has a
very different IP address (not even the first octet is the same). Because
of our load balancing router, a request from a computer in our office
could appear to come from any of those three IP addresses.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 109 days, 4:18.]
URLs in demiblog http://tobyinkster.co.uk/blog/2007/05/31/demiblog-urls/
howa wrote:
>And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
Hi,
You made a very good point, never thought of IP address can change
with every request...
How about only rely on the first 3 part, e.g. 202.92.94.xxx (drop the
last part) ?
No guarantee there, either - although I don't see why it should change,
you're also losing a main security feature. Just figure that IP
addresses are not reliable security indicators.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On Jun 12, 11:05 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
howa wrote:
And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
Hi,
You made a very good point, never thought of IP address can change
with every request...
How about only rely on the first 3 part, e.g. 202.92.94.xxx (drop the
last part) ?
No guarantee there, either - although I don't see why it should change,
you're also losing a main security feature. Just figure that IP
addresses are not reliable security indicators.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
Maybe you can do that with AJAX
What about chaning the session_id on every request?
Or check if 2 Users with the same ip are logged in? ma*********@googlemail.com wrote:
On Jun 12, 11:05 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
>howa wrote:
>>>And what do you do when the IP address can change with every request -
for instance, AOL users and some corporations?
Hi,
You made a very good point, never thought of IP address can change
with every request...
How about only rely on the first 3 part, e.g. 202.92.94.xxx (drop the
last part) ?
No guarantee there, either - although I don't see why it should change,
you're also losing a main security feature. Just figure that IP
addresses are not reliable security indicators.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
Maybe you can do that with AJAX
What about chaning the session_id on every request?
Or check if 2 Users with the same ip are logged in?
Ajax requires javascript be enabled. And in a small corporation with a
single firewall/proxy, all users will have the same ip address.
IP addresses are not reliable at any time other than when responding to
the immediate request.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On Jun 13, 11:44 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
Ajax requires javascript be enabled. And in a small corporation with a
single firewall/proxy, all users will have the same ip address.
IP addresses are not reliable at any time other than when responding to
the immediate request.
yes, IP should not be used. I agree
back to the corporation example, if SSL can't be used, what are the
best practices for protecting session cookie?
Seems there is no 100% safe solution - if people can capture your
request and can reproduce them!
howa wrote:
On Jun 13, 11:44 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Ajax requires javascript be enabled. And in a small corporation with a
single firewall/proxy, all users will have the same ip address.
IP addresses are not reliable at any time other than when responding to
the immediate request.
yes, IP should not be used. I agree
back to the corporation example, if SSL can't be used, what are the
best practices for protecting session cookie?
Seems there is no 100% safe solution - if people can capture your
request and can reproduce them!
No, short of SSL, there is no safe solution. Anyone anywhere between
the client and the server can intercept the data and use it for whatever
reason. Of course, because there's no guarantee as to what route a
packet will follow, the most likely places to intercept the packets is
on either end.
But then that's why SSL was invented.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On 6 14 , 12 21 , Jerry Stuckle <jstuck...@attglobal.netwrote:
No, short of SSL, there is no safe solution. Anyone anywhere between
the client and the server can intercept the data and use it for whatever
reason. Of course, because there's no guarantee as to what route a
packet will follow, the most likely places to intercept the packets is
on either end.
But then that's why SSL was invented.
Okay, let have some constraints, say you can use SSL during login, but
you can't use SSL for data transmission afterward, so it is possible?
(similar to yahoo or gmail)
>No, short of SSL, there is no safe solution. Anyone anywhere between
>the client and the server can intercept the data and use it for whatever
reason. Of course, because there's no guarantee as to what route a
packet will follow, the most likely places to intercept the packets is
on either end.
But then that's why SSL was invented.
Okay, let have some constraints, say you can use SSL during login, but
you can't use SSL for data transmission afterward, so it is possible?
(similar to yahoo or gmail)
SSL isn't 100% safe, either. I could guess the key on the first
try. (VERY unlikely!) I could also guess a 8K-bit session cookie
on the first try. In the case of the session cookie, there's
sniffing it off the wire, session fixation, and a bunch of other
attacks after you've left the SSL session.
howa wrote:
On 6 14 , 12 21 , Jerry Stuckle <jstuck...@attglobal.netwrote:
>No, short of SSL, there is no safe solution. Anyone anywhere between
the client and the server can intercept the data and use it for whatever
reason. Of course, because there's no guarantee as to what route a
packet will follow, the most likely places to intercept the packets is
on either end.
But then that's why SSL was invented.
Okay, let have some constraints, say you can use SSL during login, but
you can't use SSL for data transmission afterward, so it is possible?
(similar to yahoo or gmail)
No, the session id is still sent in plain text then, and can be
intercepted and hacked.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate...
|
by: Colin Steadman |
last post by:
I have created a function to kill all session variables
that aren't in a safe list. This is the function -
Sub PurgeSessionVariables
For Each Item In Session.Contents
Select Case Trim(Item)...
|
by: Larry Woods |
last post by:
I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that...
|
by: Nicole |
last post by:
Hi
I'm trying to use a function to set a session variable. I have three files:
The first file has:
<?php session_start(); // This connects to the existing session
?>
<html>
<head>
|
by: RA |
last post by:
Hi
Please review and let me know if I am correct:
1) My understanding from reading
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/
diforwc-ch05.asp is that...
|
by: Chris Newby |
last post by:
When accessing, for example, an object stored in the session such as:
Session.MyProperty = "Some Value";
Is access to MyObject thread-safe?
|
by: julianmlp |
last post by:
Let me talk briefly about how I manage user autentication:
1) As usual, I've a form with User & Passwor
2) If the data matches the Database (users table), I create a Sesion ID
(sessions table),...
|
by: davidkoree |
last post by:
I mean not about cookie.
Does it have something to do with operating system or browser plugin?
I appreciate any help.
|
by: pim |
last post by:
Dear All,
What I was wondering is how safe it is to store user_id or username or
anything like that in session. I usualy store a bunch of info in a
session so I do not need to search the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
