Page 1 of 1

session validation method

Posted: Tue Jul 13, 2010 7:30 am
by shawngoldw
I had an idea for a method to validate sessions.

When the user logs in a random hash gets generated. This hash gets stored in the session and in the users cookies. When he goes to a new page the cookie gets checked against the session, along with the session id and if things match up a new hash gets generated and stored in both places.

Basically, every time they load a page a new hash gets generated to check the next page.

I was hoping that this would be a good method to prevent session hijacking because even if the traffic was eavesdropped on, the eavesdropper would have to use the information quickly because if the user loaded a new page the old hash would be garbage.

Thoughts? Comments? I am just starting to learn about the world of security so please, any insight no matter how insignificant can be helpful. Would this be effective? What about overhead, could this method create a lot of unnecessary overhead?

Thanks,
Shawn

Re: session validation method

Posted: Tue Jul 13, 2010 1:02 pm
by Christopher
Yes, generating a secret key is a good way to validate sessions.

Re: session validation method

Posted: Wed Jul 14, 2010 7:10 am
by Mordred
So, this protection works only agains senile and slow attackers ;)

No, you protect against session hijacking by not letting the attacker steal the SID.You may take some mitigation measures, like checking the ip, but they may only make it harder to attack, not prevent it.

There are two basic ways of stealing the SID:
1. Sniffing traffic. This is an attack towards a lower level protocol than you, for protection against it you must use a lower lever protection - TLS (https) and "secure" cookies.
2. Stealing it by leaking it over a side channel (i.e. XSS), which is prevented by not having XSS holes in your site (which is a complex topic by itself)

And for completeness:
3. Guessing. I've seen people generate their SIDs manually like that: $sid = md5(rand(1,10000))

Re: session validation method

Posted: Wed Jul 14, 2010 9:48 am
by shawngoldw
HTTPS is the most secure method but I think it's also important to make the attack as hard as possible, not everyone is going to use https.

This method would take care of number 3. Number 2 is a problem in and of itself and needs to be dealt with, but is not what I am trying to focus on here.

Number 1 is what I'm trying to deal with here, but without https for the sake of learning. What is it you mean by "secure" cookies?

Isn't checking IPs kind of tricky because some people use proxies? I read it causes trouble for people with AOL.

What other holes does my method have? And yes, it will only work against slow and senile attackers :wink: but it's meant to be part of a solution.

Re: session validation method

Posted: Wed Jul 14, 2010 10:09 am
by timWebUK
shawngoldw wrote:HTTPS is the most secure method but I think it's also important to make the attack as hard as possible, not everyone is going to use https.
You can force them to use HTTPS. Look at Google Mail, Online Banking, etc.

Re: session validation method

Posted: Wed Jul 14, 2010 11:49 am
by shawngoldw
Sorry, I don't mean every user, I mean every server.

For instance, devnetwork doesn't use http. But I would like to think they still try to keep my session secure.

Re: session validation method

Posted: Thu Jul 15, 2010 3:24 am
by timWebUK
Your method sounds fine, but it should be used in conjunction with HTTPS to be truly secure.

phpBB does have some session security, but ultimately, as we are not using HTTPS, the session is being transmitted in plaintext with each request - anyone can sniff that.

Re: session validation method

Posted: Sun Jul 18, 2010 1:33 pm
by kaisellgren
And what do you have for people who take coffee breaks while staying logged in?

Re: session validation method

Posted: Sun Jul 18, 2010 2:30 pm
by shawngoldw
Don't take coffee breaks :P

This is a more difficult problem. I do not want to make sure that the ip stays constant because not everybody has a static ip.

As of right now I have a method planned which will kick an eavsdropper off your account when you come back from your coffee break but it's far from perfect because it doesn't stop them from getting on in the first place.

I'm not sure of the best way to go about this because as I see it some sort of credential needs to be stored in the client's cookies, but these are vulnerable to attack. As of now I can only limit the effectiveness of that attack, not prevent it. I'm having the same problem with the "Remember Me" feature.

Do you have a suggestion Kaisellgren? or anyone?

Re: session validation method

Posted: Mon Jul 19, 2010 1:42 pm
by kaisellgren
shawngoldw wrote:As of now I can only limit the effectiveness of that attack, not prevent it.
You can't prevent those attacks unless you are using strong session identifiers and TLS.

Re: session validation method

Posted: Mon Jul 19, 2010 1:56 pm
by shawngoldw
kaisellgren wrote:
shawngoldw wrote:As of now I can only limit the effectiveness of that attack, not prevent it.
You can't prevent those attacks unless you are using strong session identifiers and TLS.
Right, I've got the key I mentioned in my OP, user agent, and ip tracking to help limit the attack. SSL will be an optional component of the site.

I won't be making sure that IPs stay static but I will be tracking them and if something suspicious is happening the suspicious ip will be logged out.

Together I hope this will help lower the effectiveness of an attack

Re: session validation method

Posted: Sat Aug 07, 2010 9:35 pm
by fortnox007
Hi all,

Everybody is talking about that everybody can sniff if https isn't used.Now this might be a dumb question but how on earth can you do sniff that info.
Learning sessions is one thing but without know what is attacking you its even harder to protect one self. If anyone reads this , could he maybe point a new php'-er in the right direction of learning to snif. would be more than pleased ;)

Re: session validation method

Posted: Mon Aug 23, 2010 5:37 am
by timWebUK
You just use a packet sniffer tool to do it, select your protocol (in this case, HTTP) open the packet and decode its contents and all the information is in there. There are plenty of utilities out there, just Google it.