Hi!
I've developed a loginscript that works similar to an NT challenge/response authentication with the main feature of never sending the password over the network. The script is supposed to cover the section for those who want to have something more secure than basic authentication but do not want to run SSL. Therefore I'm investigating how secure my script is. I'm using sessions to maintain state with the client.
I know that it is quite easy to sniff tcp traffic and that it is not very hard to find a session cookie going to someone on the network. However, is it possible for an attacker to set that cookie by himself in order to hijack a currenctly logged in user? I figured it would be easy if the cookie was stored in a txt-file, but since the session cookies do not expire until the client is closed, they're only stored in the client memory, so can you set a session cookie manually in order to hijack a session?
Regards,
Anders Fredriksson
Security with sessions
Moderator: General Moderators
The built in session handlers are rather weak when it comes to security. If you need to worry about session hijacking, I would suggest reading my earlier thread at viewtopic.php?t=3190.
The second version of the script gives a framework to use to protect the sessionid from simple client side modification. For a little more security the remote_addr could be included in the MAC'd cookie. If you need even
more security do a double DNS lookup IP->Name->IP. You'll probably need to play with the script a little to adapt it to your use, but if you have questions, please ask.
The second version of the script gives a framework to use to protect the sessionid from simple client side modification. For a little more security the remote_addr could be included in the MAC'd cookie. If you need even
more security do a double DNS lookup IP->Name->IP. You'll probably need to play with the script a little to adapt it to your use, but if you have questions, please ask.
You could customize the session mangement. Try looking at http://www.phpbuilder.com.