Page 1 of 1

Session id stored in cookie compromised

Posted: Tue Dec 05, 2006 5:02 pm
by aikidokun
Hello all, this is my first time on this forum.

I am currently writing an application that uses sessions, and I am using session_set_save_handler() to save my session data in a localhost database. I am currently passing the Session_id in a cookie (and just the session id). I was wondering if there is a way someone can hijack my cookie and use the same session i am currently using. Or if perhaps someone could send it to someone else and have them use their session. (I am guessing that it is possible) If so how can i stop this from happening, is there a way to protect my cookie or session id from falling into the wrong hands? is there a way to defend against this? I would really appreciate some advice on this, Thanks in advance.

Posted: Tue Dec 05, 2006 5:29 pm
by feyd

Posted: Wed Dec 06, 2006 9:00 am
by aikidokun
Thanks a lot feyd that article really helped me understand a little more about the type of attacks possible. I think I am going to use SID regeneration + IP recognition. This way I can be sure that the cookie with the SID is coming from the same place it was created for and also by regenerating the SID on each attempt I can prevent fixation. This way even if they spoof the IP the SID regeneration should stop the attack. What do you think about this implementation? I would really love to hear some feed back on what the best practices are for handling secure sessions. Keep in mind I am saving all my session data on a secure database the cookie will only contain the SID, will I be vulnerable to query attacks? since the SID in the cookie is used to query the database? if so how can i prevent this?

Posted: Wed Dec 06, 2006 11:26 am
by feyd
Take extreme care in how you write your IP restriction code. There are several ISPs that will shift/shuffle user IP addresses very often. There are proxy servers to consider too.

What I personally do is not concern myself too much with fixation so much as forcing the user to log in again when moving up in security layers. For example when an administrator goes into the administrative areas, or a user goes to their profile page (and wishes to alter the password.) Now as a convenience, I at times offer to wave the log in after the first security transition by either locking it to their IP or by using a rotating key that is attached to them.

The rotating key is a separate cookie that is kept in the session too and compared. They can be the same, or can be symmetric in some fashion to form an encryption passkey. The specific implementation can vary from application to application as the needs of the client vary.

Securing Session cookies

Posted: Wed Dec 13, 2006 10:05 pm
by dacoolthings
1) If its a commercial website, then install SSL for secure communication.

2) Generate unpredictable Random characters for the sessionID value.

3) Avoid incremental or time based session cookie values.

3) Issue or generate session cookie after successful authentication only.

4) Never generate cookies as Persistent cookies on the users hard disk.

5) Set the "SECURE" flag for the session cookie which means cookies will be transmitted over SSL only.

6) Set the Path and Domain of session cookies.

7) Never store or pass session information in URL and Hidden Fields.

These are some of the security practices for secure session transmission.

More information can be found at http:///www.webinfosec.com