PDA

View Full Version : quick question regarding session hijacking



superjadex12
07-13-2007, 10:33 AM
So I've been researching session hijacking and trying to implement security measures into my standard php-mysql user-login project.

I have a general understanding of what hijacking is and ways to make it harder, such as hashing passwords with a salt, not using GET posts, etc.

But my main question is can an attacker CREATE a session array and use it on my site? For example, with most login pages (including mine) after an email/password combo is authenticated, I set non-sensitive session variables, and all the user pages will check if the vars are set: if they are they page loads, if not , it redirects to the login.

So hijacking is using another persons session, but is it possible for an attacker to somehow create his own session if he knows the variable names i use?

Thanks.

Twey
07-13-2007, 01:44 PM
No. Sessions are stored on the server, and only the server can create or modify them.

superjadex12
07-13-2007, 06:12 PM
Thanks, Twey, that is what I was hoping to hear!

djr33
07-13-2007, 09:09 PM
Session vars are stored on the server. The session_id is the key to these, so you would need to have a valid session_id to access the variables.

This means that, no, you can't fake a session. You could choose an id if you worked at it a bit, but the server would then use this id to create a session. By this, someone could give you a link with a certain id in it (...page.php?sess_id=1234), and then you'd have that. In doing so, they would know the id of your session and could possibly hijack it.

To get around hijacking, it's best to verify the IP address with the original IP used.

Twey
07-13-2007, 09:17 PM
Session vars are stored on the server. The session_id is the key to these, so you would need to have a valid session_id to access the variables.No, even the holder of a valid session ID doesn't have access to the variables stored in the session that ID represents.

djr33
07-13-2007, 09:19 PM
Ah, yes. I mean that the holder of a certain session_id would be able to access the session, and thereby use the values on the server (not visibly), indirectly, of the session.