On Session Hijacking

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
jimthunderbird
Forum Contributor
Posts: 147
Joined: Tue Jul 04, 2006 3:59 am
Location: San Francisco, CA

On Session Hijacking

Post by jimthunderbird »

Hi All,
These days I'm playing around on session security on PHP, I just wonder, will storing session into database by setting the session handler completely prevent session hijacking? Or, if stilled use file-base session handling, any other alternatives to mitigate the session attack?
I'm in a share host environment.

Thank you very much for your help.

With my best,
Jim
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Session hijacking happens when the attacker knows the session id of the victim. Session data storage has nothing to do with it.

Both storage mechanisms (file and DB) have potential issues if the security is compromised. An attacker can potentially use other vulnerabilities to read the session ids by file access (in the first case) or db access (=sql injection in the second case), so both storage scenarios do little to mitigate the risk of session hijacking by themselves.

I can think of a possible mitigation strategy for DB-based sessions, if you use a different database for the session data, it shouldn't be possible to access the session ids from sql injections on the application database, and you only have to secure the session access module (as opposed to the entire application) to be sure that injections in the app database will not lead to stolen sessions.

This is something I thought of just now, so I can't say how viable it is, what do you guys think?
Post Reply