[nycphp-talk] Experts help needed (Sessions)
Dan Cech
dcech at phpwerx.net
Thu Aug 4 09:40:37 EDT 2005
Joseph,
Your function would work the same way if it was:
$this->_key = $_SERVER['HTTP_USER_AGENT'];
If the attacker spoofs the client's HTTP_USER_AGENT string as well as
the session id they will pass the test.
Thus it doesn't actually provide any real added protection against
session hijacking, because any attacker who can get hold of the session
id will also be able to determine and spoof the user agent string.
I wish I had a 'silver bullet' solution to the problem that I could
recommend to you, but I don't.
Dan
Joseph Crawford wrote:
> guys is this a bit better way to check session validity?
>
> define('SES_KEY',
> md5('custom_string'.$_ENV['PROCESSOR_REVISION'].$_ENV['PROCESSOR_ARCHITECTURE'].$_ENV['PROCESSOR_LEVEL'].'custon_string'));
>
> $this->_key = md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.$ses_id);
>
> that value is created and stored in the db on session start, then in my
> CheckSession function i am doing this
>
> if( $key !== $data['identifier'] )
>
> this ends up creating an identifier similar to this
>
> 733f97f78f00cd6d2f0d7955698ebac4a2aad2e4fb76d0a5862838e087a20251
>
> this is based on the users agent, the initial session key, and some server
> stuff with some custom strings that i put in there.
>
> This works just fine i just wanted to know if it would be easy for someone
> to hijack a session with this added security. I am also wondering if i
> should set a cookie, i am not yet sure that i want the user to be able to
> log back in after they close thier browser, i mean atleast not without going
> through the login form
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
More information about the talk
mailing list