Results 1 to 6 of 6

Thread: quick question regarding session hijacking

  1. #1
    Join Date
    Jul 2006
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default quick question regarding session hijacking

    So I've been researching session hijacking and trying to implement security measures into my standard php-mysql user-login project.

    I have a general understanding of what hijacking is and ways to make it harder, such as hashing passwords with a salt, not using GET posts, etc.

    But my main question is can an attacker CREATE a session array and use it on my site? For example, with most login pages (including mine) after an email/password combo is authenticated, I set non-sensitive session variables, and all the user pages will check if the vars are set: if they are they page loads, if not , it redirects to the login.

    So hijacking is using another persons session, but is it possible for an attacker to somehow create his own session if he knows the variable names i use?

    Thanks.

  2. #2
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    No. Sessions are stored on the server, and only the server can create or modify them.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  3. #3
    Join Date
    Jul 2006
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Thanks, Twey, that is what I was hoping to hear!

  4. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Session vars are stored on the server. The session_id is the key to these, so you would need to have a valid session_id to access the variables.

    This means that, no, you can't fake a session. You could choose an id if you worked at it a bit, but the server would then use this id to create a session. By this, someone could give you a link with a certain id in it (...page.php?sess_id=1234), and then you'd have that. In doing so, they would know the id of your session and could possibly hijack it.

    To get around hijacking, it's best to verify the IP address with the original IP used.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  5. #5
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Session vars are stored on the server. The session_id is the key to these, so you would need to have a valid session_id to access the variables.
    No, even the holder of a valid session ID doesn't have access to the variables stored in the session that ID represents.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  6. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Ah, yes. I mean that the holder of a certain session_id would be able to access the session, and thereby use the values on the server (not visibly), indirectly, of the session.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •