Page 1 of 1

How secure are sessions?

Posted: Wed Sep 09, 2009 12:09 pm
by JellyFish
I just realized that a php session is controlled by a session ID stored in a cookie on the clients browser. This ID is a 32 bit base 64 encoded string and is sent to the server in every header of every request. If I'm correct this means that all someone would have to do to "steal" a session is to send the same session ID. What I mean by steal is to actually be log in to someones account. How is this secure? What prevents me from repeatedly sending a different random session ID until I have found one that is in use? If there are a lot of users logged in to a site there would be a lot of session IDs being used.

So how does a developer prevent such an insecurity? I usually thought a "log in" or a "sign in" on a site was just php session variables stored on the server. But now I realize that there must be more to a log in. If there is not more to it, then I could crack into peoples accounts on all the sites out there.

I'm so very confused on how logins are handled. :S

Thanks for reading. I appreciate any help with my confusion.

EDIT:

Actually I just realized that 64^32 (which is the number of possible session IDs) is over 6 octodecillion (6,277,101,740,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000). Even if there were 9 billion people logged on all at ones that would mean a cracker would have to go through at least 1 quindecillion (1 with 48 zeros following). I guess it's very unrealistic to think that you can just simple loop through all of these possible values an finally strike gold.

But I noticed that sessions on the server don't die right away. Shut down there browser, but how long does the session remain on the server? Over time ever use would have multiple sessions on the server not being used anymore.

Some please reassure me with some common sense. 8O

Re: How secure are sessions?

Posted: Wed Sep 09, 2009 12:34 pm
by Weiry
i couldnt tell you the majority of ways, but i have come across a piece of code at some point which would actually store your IP address along with your sessionID in a temporary entry in a database table, and when the session expired/user logged out, would be deleted from the database.
that way there could be a check to make sure the browser supplying the 'stolen' session could be checked against the IP address.
although im not sure how long ago i saw this, so its probably a fairly inefficient sort of check, although a quick google lead me to
PHPSec which does provide 'some' useful information.

Re: How secure are sessions?

Posted: Wed Sep 09, 2009 12:59 pm
by Mirge
There are some simple ways to prevent session hi-jacking... each HTTP request create a new session ID (see: http://www.php.net/session_regenerate_id/), expire sessions somewhat quickly so inactivity leads to an expired session (see: http://www.php.net/session_set_cookie_params/), etc. Google around for more techniques to avoid session hi-jacking.

Re: How secure are sessions?

Posted: Wed Sep 09, 2009 1:28 pm
by John Cartwright
JellyFish wrote:But I noticed that sessions on the server don't die right away. Shut down there browser, but how long does the session remain on the server? Over time ever use would have multiple sessions on the server not being used anymore.

Some please reassure me with some common sense. 8O
A quick google on php garbage collector +session has some pretty good explanations. :)