NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session security: protecting against hijackingattempts POSSIBLE SOLUTION

Hans Zaunere hans at nyphp.com
Wed Dec 22 20:30:18 EST 2004


> After thinking hard about what's involved with session hijacking, one
> thing seemed to be the lynchpin in attacks, the session id. If an
> attacker knows the session id, he can hijack the victim's session.
> 
> So my thought was to change the session id with every request. This
> way, the session is only good for a very short time. It also does a
> very adequate job of protecting against session fixation attacks
> (http://www.acros.si/papers/session_fixation.pdf) because once the
> attackers session is used to gain permissions, it becomes an invalid
> id.

I did something like this using sequenced sessions.  It's basically the
same idea as the sequence numbers TCP uses (SYN/ACK).  See attached;  it
works pretty well and I've used it in a couple of sites.  Easy to use
and won't reuse the same session id more than once, making it easy to
detect if a hi-jack has occurred, and hard to perform a hi-jack to begin
with.  For high traffic environments, it could use a couple of
improvements.


---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org



-------------- next part --------------
A non-text attachment was scrubbed...
Name: pas.ss.php
Type: application/octet-stream
Size: 2277 bytes
Desc: pas.ss.php
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20041222/c7a69ba6/attachment.obj>


More information about the talk mailing list