In fixation, the identifier is set to a value that the attacker knows before hand. The difference between Session Fixation and Hijacking is only about how the session identifier is compromised. This won't work for all applications, but is one way of combating the problem. By doing this, you should be able to detect a hijacked session since the attacker won't have the exact counter, or if they do you'll have 2 systems transmitting the same count and can tell one is forged. Then, when you send a request, simply take a nonce of a token, and verify that the nonce is the same on the server. Also do something in JS on the browsers side to do the same (using a local storage). Basically, for each request do $_SESSION++ on the server side. Include a token in the session and on the browsers side that you increment and compare often. And if they compromise the network, they can do far worse than a hijacking (such as MITM attacks, etc). The only way for an attacker to fake the IP address is to compromise the network at some point between the real user and you. But if you use it, it will be much more secure. This may be problematic from some ISPs that use multiple IP addresses for their users (such as AOL used to do). Basically, when the session starts, store it in something like $_SESSION. Include the user's IP address from $_SERVER in the session. Note that this can be faked so it's not 100% reliable, but it's better than not. Then, on each subsequent request check that it matches. Include the user agent from $_SERVER in the session. You want to change this often since if an attacker does hijack a session you don't want them to be able to use it for too long. I wouldn't do this every request (unless you really need that level of security), but at a random interval. But depending on your use-case, it may be an option. If you're really paranoid you could rotate the session name too, but beware that all sessions will automatically be invalidated if you change this (for example, if you make it dependent on the time). This is accomplished by calling session_name() with your own identifier name as the first parameter prior to calling session_start. Set the former to session.entropy_file = /dev/urandom and the latter to the number of bytes that will be read from the entropy file, for example session.entropy_length = 256.Ĭhange the name of the session from the default PHPSESSID. Set an additional entropy with session.entropy_file and session.entropy_length in your php.ini file. The ID will be shorter, but uses more characters. While this doesn't make it any harder to crack, it does make a difference when the attacker tries to guess the session identifier. Set this to session.hash_bits_per_character = 5. Send a strong hash: session.hash_bits_per_character in php.ini. If PHP = 5.3, set it to session.hash_function = sha256 or session.hash_function = sha512. Use a strong session hash identifier: session.hash_function in php.ini. You can however put steps in to make it very difficult and harder to use. You cannot directly prevent session hijacking. That means that since the attacker has the identifier, they are all but indistinguishable from the valid user with respect to the server. This is where an attacker gets a hold of a session identifier and is able to send requests as if they were that user. Regenerate the session ID anytime the session's status changes. This will tell PHP to never use URLs with session identifiers. Set e_only_cookies = 1 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers. Set e_trans_sid = 0 in your php.ini file. There are a few ways to prevent session fixation (do all of them): Once the attacker gives the url to the client, the attack is the same as a session hijacking attack. Typically in PHP it's done by giving them a url like. This is where an attacker explicitly sets the session identifier of a session for a user. Ok, there are two separate but related problems, and each is handled differently.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |