Security with sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
cybaf
Forum Commoner
Posts: 89
Joined: Tue Oct 01, 2002 5:28 am
Location: Gothenburg Sweden

Security with sessions

Post by cybaf »

Hi!

I've developed a loginscript that works similar to an NT challenge/response authentication with the main feature of never sending the password over the network. The script is supposed to cover the section for those who want to have something more secure than basic authentication but do not want to run SSL. Therefore I'm investigating how secure my script is. I'm using sessions to maintain state with the client.

I know that it is quite easy to sniff tcp traffic and that it is not very hard to find a session cookie going to someone on the network. However, is it possible for an attacker to set that cookie by himself in order to hijack a currenctly logged in user? I figured it would be easy if the cookie was stored in a txt-file, but since the session cookies do not expire until the client is closed, they're only stored in the client memory, so can you set a session cookie manually in order to hijack a session?

Regards,
Anders Fredriksson
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

The built in session handlers are rather weak when it comes to security. If you need to worry about session hijacking, I would suggest reading my earlier thread at viewtopic.php?t=3190.

The second version of the script gives a framework to use to protect the sessionid from simple client side modification. For a little more security the remote_addr could be included in the MAC'd cookie. If you need even
more security do a double DNS lookup IP->Name->IP. You'll probably need to play with the script a little to adapt it to your use, but if you have questions, please ask.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

You could customize the session mangement. Try looking at http://www.phpbuilder.com.
Post Reply