PHP Developers Network
http://forums.devnetwork.net/

Question about session hijacking
http://forums.devnetwork.net/viewtopic.php?f=34&t=34468
Page 1 of 2

Author:  Swede78 [ Wed Jun 15, 2005 9:59 am ]
Post subject:  Question about session hijacking


Author:  malcolmboston [ Wed Jun 15, 2005 10:07 am ]
Post subject: 


Author:  hawleyjr [ Wed Jun 15, 2005 10:16 am ]
Post subject: 


Author:  Swede78 [ Wed Jun 15, 2005 10:49 am ]
Post subject: 

Ok, so they couldn't actually manipulate stored session data (except if they now have access to webpages that allows them to do so). The data that a hijacker would find in another user's profile on my website is not critically sensitive. But, don't get me wrong, I take the security of that information very seriously. My concern is less about a hijacker finding a user's information, then it is about a hijacker manipulating session data to be something it shouldn't be, right before it's stored in the database. Or even a user manipulating their own session data, is that possible?


Example Scenerio:
If I have page1.php which calculates $A + $B = $_SESSION['C'], and page2.php puts $_SESSION['C'] in the database, I will not have to worry about $_SESSION['C'] being changed by a hijacker somehow. Right? What I've done in the past is recalculate $A + $B on page2.php, instead of using $_SESSION['C']. But, if storing data in sessions is safe, I want to avoid using up valuable server resources because my calculations are getting much more complicated than $A + $B.

As for the IP checking... what if their IP changes during a session? I believe that is possible.

Author:  malcolmboston [ Wed Jun 15, 2005 10:52 am ]
Post subject: 


Author:  Swede78 [ Wed Jun 15, 2005 11:35 am ]
Post subject: 


Author:  shiznatix [ Wed Jun 15, 2005 12:10 pm ]
Post subject: 

i don't believe it is possible for the user to change the session data, only to steal a users existing session but not change that users session information

ie they cant take $_SESSION['value'] that = 1 and change it to $_SESSION['value'] to = 2. i really dont believe this is possible

Author:  Buddha443556 [ Wed Jun 15, 2005 1:00 pm ]
Post subject: 


Author:  Swede78 [ Wed Jun 15, 2005 1:39 pm ]
Post subject: 


Author:  timvw [ Wed Jun 15, 2005 2:22 pm ]
Post subject: 

This is how i build a "fingerprint" of a visitor..

Syntax: [ Download ] [ Hide ]
// get the fingerprint of the user

    function getFingerprint()

    {

        $fingerprint = $this->secret;

        if (array_key_exists('HTTP_USER_AGENT', $_SERVER))

        {

            $fingerprint .= $_SERVER['HTTP_USER_AGENT'];

        }

        if (array_key_exists('HTTP_ACCEPT_CHARSET', $_SERVER))

        {

            $fingerprint .= $_SERVER['HTTP_ACCEPT_CHARSET'];

        }

        $fingerprint .= session_id();

        $fingerprint = md5($fingerprint);

        return $fingerprint;

    }

Author:  Roja [ Wed Jun 15, 2005 9:07 pm ]
Post subject: 


Author:  shiflett [ Sat Jun 25, 2005 6:05 pm ]
Post subject: 


Author:  weierophinney [ Sat Jun 25, 2005 7:18 pm ]
Post subject: 


Author:  shiflett [ Sat Jun 25, 2005 7:29 pm ]
Post subject: 


Author:  bsdguru [ Mon Jun 27, 2005 6:42 pm ]
Post subject: 


Page 1 of 2 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/