Page 1 of 1

session variables

Posted: Sun Oct 10, 2004 6:35 pm
by sicksound
hey!

just wondering if it is at all possible for one user to change alter another user's session variables knowing what their session id is. i've got a big crazy experiment i want to try, but i need to be able to do this. but basically, when a user logs on, their session id will get stored into a database, and another user of another session can grab the session id and change a variable pertaining to that session id? possible? please say yes, and if it's no, please explain, cause i'm really thinking this is possible, but i could be horribly wrong. if i can get this to work, the world is mine!!

thanks all!
x

Posted: Sun Oct 10, 2004 6:39 pm
by feyd
why not try it?


possible

Posted: Sun Oct 10, 2004 6:42 pm
by patrikG
If the world could be yours and you only lack the courage to do it: just do it.

Posted: Sun Oct 10, 2004 6:54 pm
by sicksound
haha, true, you are both right.

the only problem is that i have no idea how to do it?

how do i change a session variable that is not of my own session, by using the session id? like what would the syntax be?

thanks!

Posted: Sun Oct 10, 2004 6:56 pm
by feyd
I'm not going to tell you how to hijack a session.

Posted: Sun Oct 10, 2004 7:02 pm
by sicksound
crap.. but it's not for illegal or mischevious use. it's only happen on my server, done by me. can you relate me to a place where i can find out how to do so?

thanks!

Posted: Sun Oct 10, 2004 7:07 pm
by feyd
I don't care if it's for the President.

you already walked through the basics of it in your original post.

Posted: Mon Oct 11, 2004 6:12 am
by sicksound
ok i will do my research. i know i walked through the basics, and i know what the concept may be, but i reaslly have no idea where to start. i'll look though..

Posted: Mon Oct 11, 2004 6:39 am
by phpScott
supposedly then feyd if you know how to hijack a session you know how to stop it, right?
How about helping us then who want to stop our sessions from being hijacked?

Move to new post if you wish?

thanks

Posted: Mon Oct 11, 2004 3:35 pm
by d_d
I'm no expert but if all you need to hijack a session is the session id a possible solution would be to get more info from the client that can be used to help verify the session. You could use stuff like, user agent string, ip address etc. Then if someone tries to hijack the session some of the info will not match and you can take action.

Posted: Mon Oct 11, 2004 4:29 pm
by tim
d_d wrote:I'm no expert but if all you need to hijack a session is the session id a possible solution would be to get more info from the client that can be used to help verify the session. You could use stuff like, user agent string, ip address etc. Then if someone tries to hijack the session some of the info will not match and you can take action.
u make it seems stealing a session ID is a piece of cake.

8O

Posted: Mon Oct 11, 2004 7:09 pm
by nincha
quite sure interrupting anothers session using the id is possible, anything is possbile right?? but the real question is -- does php compiler provide such a thing?

Posted: Sun Oct 17, 2004 6:09 pm
by feyd
php allows hijacking of sessions, as that's not apart of its core. Disallowing the hijacking of a session can be challenging.. for many reasons: their IP may change throughout the session, their IP may be a router/proxy where many users are behind the same unit.. The agent string isn't very unique, and would use a lot of space in a database unless you stored off the uniques and referred to their id numbers, but even then, you'll see the same useragent quite often. Turning off trans_id can help, however, this breaks all users without cookies.. so it's heavily dependant on the restrictions you want to set up.

You can add additional authentication like fairly long cookie/url values as hashes.. or uniquely hashing the username and password in some fashion, although you'd best use a REAL good encyption/hash for it, so it's a huge waste of time to try to break.