www.webdeveloper.com
Results 1 to 7 of 7

Thread: How to prevent session hijacking and session fixation

  1. #1
    Join Date
    Jun 2013
    Posts
    33

    How to prevent session hijacking and session fixation

    i dont know How to prevent session hijacking and session fixation. i read a book on PHP (cookbook). But i could not grab the concept. so what's the procedure. pls help
    Thanks.

  2. #2
    Join Date
    Sep 2013
    Posts
    221
    The best method to prevent session hijacking is to make sure an attacker cannot find out another user’s session ID. This means you should design your application and its session management keeping following things in mind:
    1. An attacker cannot guess a valid session ID by using enough entropy.
    2. There is no other way for an attacker to obtain a valid session ID by known attacks like sniffing the network communication, Cross-Site Scripting etc.

    Hope this helps.
    Thnxs.
    strad solutionswww.stradsolutions.com

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,148
    One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again. This is not a cure-all, but can help in some cases, in particular someone sniffing the cookies on a non-https connection (another good reason to use https?).

    It's also a good idea to make the user log in any time they hit a particularly sensitive page and their last log-in was more than some arbitrary time in the past.

    For more details and other ideas, I recommend Essential PHP Security.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Apr 2010
    Posts
    88
    Quote Originally Posted by NogDog View Post
    One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again.
    I would not suggest using the IP for tracking purposes, because a single user can use a different IP address for each request (the request might come from a different proxy). Also, multiple users might use the same IP address (many computer labs use an HTTP proxy).

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,148
    Quote Originally Posted by gvre View Post
    I would not suggest using the IP for tracking purposes, because a single user can use a different IP address for each request (the request might come from a different proxy).
    Yes, in theory they could, but I suspect the number of people who use a different proxy for each page request from the same site during the same browsing session are very, very small?

    Also, multiple users might use the same IP address (many computer labs use an HTTP proxy).
    That won't matter for what I'm suggesting, though it would mean that if, say, a co-worker stole your session cookie, then that technique would not help.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  6. #6
    Join Date
    Apr 2010
    Posts
    88
    Quote Originally Posted by NogDog View Post
    Yes, in theory they could, but I suspect the number of people who use a different proxy for each page request from the same site during the same browsing session are very, very small?
    Not necessarily. Some ISP's use round-robin proxies for their clients. Furthermore, users may use load balancing on multiple internet connections, so their IP might change often.

  7. #7
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,148
    Some useful info here: http://stackoverflow.com/questions/1...cking#12234563

    (Would seem to agree that the best way is to make the session ID as unknowable as possible (high entropy on the ID, must use HTTPS, note the PHP session settings) and not try to detect changes via IP, user agent header, etc.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles