secure logins, protection from sessions attacks

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
newmember
Forum Contributor
Posts: 252
Joined: Fri Apr 02, 2004 12:36 pm

secure logins, protection from sessions attacks

Post by newmember »

Hi

[1]
i read a few threads mentioning replay attack. one thing came into my mind while reading proposed solution(combining password with random number, hashing it and then sending to server)
The problem is that this solution relies on assumption that javascript is enabled.I wonder if there are other options here...

[2]
look at the following scenario(i think it is called session fixation attack and mentioned in php manual under "Session Handling Functions"):

1. user fills login form and sends it to server
2. somewhere enemy listens to communication.
3. after passing authentication, server issues session id to browser.
4. enemy grabs this session id and gets full access without ever passing authentication.

Is there any protection(exept using ssl) for that kind of attack?

and related situation:
lets assume that my security strategy is to use https(ssl) connection for some critical parts of site e.g. login and then use http for the rest of user session.
But wouldn't in that case my site be vulnerable to the above scenario(session fixation attack)?

thanks...
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: secure logins, protection from sessions attacks

Post by Roja »

newmember wrote:Hi

[1]
i read a few threads mentioning replay attack. one thing came into my mind while reading proposed solution(combining password with random number, hashing it and then sending to server)
The problem is that this solution relies on assumption that javascript is enabled.I wonder if there are other options here...
Yes and no. You can do similar with flash or java. Without either (or https) - using raw html, there is no secure login, because the user will be sending their password in cleartext.
newmember wrote: [2]
look at the following scenario(i think it is called session fixation attack and mentioned in php manual under "Session Handling Functions"):

1. user fills login form and sends it to server
2. somewhere enemy listens to communication.
3. after passing authentication, server issues session id to browser.
4. enemy grabs this session id and gets full access without ever passing authentication.

Is there any protection(exept using ssl) for that kind of attack?
Yes. Multiple.

First and foremost is regenerating the session_id at random intervals, and upon priveledge change. That way, the attacker will lose the session they stole.

Second, if you want to, you can choose to lock a login to an IP. There are about a million reasons not to, and only a handful of reasons to do it, but its an option.

Third, you shouldn't rely exclusively on a session cookie to authenticate a user - have other cookies as well. Granted, the attacker is likely to get both, but it increases the difficulty.

Finally, reduce the impact of the breech - limit sessions to 10-15 minutes before regenerating the session id.

However, overall, if an attacker can sit and sniff on your browser, there is little you can do longterm other than minimize the damage, and increase the difficulty for the attacker.
newmember wrote: lets assume that my security strategy is to use https(ssl) connection for some critical parts of site e.g. login and then use http for the rest of user session.
But wouldn't in that case my site be vulnerable to the above scenario(session fixation attack)?
Yes. Once the attacker has a session, it doesn't matter if its http or https.

However, in https, the attacker would have to get direct filesystem access, and read the cookies. In https, there is no cleartext transmission, AND the cookie is stored encrypted. Obviously, https offers the highest level of challenge for the attacker.
User avatar
newmember
Forum Contributor
Posts: 252
Joined: Fri Apr 02, 2004 12:36 pm

Post by newmember »

ok:)
thanks for clear explanation
by the way, if i use additionally a verification image this would
increase the effort of intruder, i guess. now he can't use automatic tools.
Post Reply