Hi All,
These days I'm playing around on session security on PHP, I just wonder, will storing session into database by setting the session handler completely prevent session hijacking? Or, if stilled use file-base session handling, any other alternatives to mitigate the session attack?
I'm in a share host environment.
Thank you very much for your help.
With my best,
Jim
On Session Hijacking
Moderator: General Moderators
- jimthunderbird
- Forum Contributor
- Posts: 147
- Joined: Tue Jul 04, 2006 3:59 am
- Location: San Francisco, CA
Session hijacking happens when the attacker knows the session id of the victim. Session data storage has nothing to do with it.
Both storage mechanisms (file and DB) have potential issues if the security is compromised. An attacker can potentially use other vulnerabilities to read the session ids by file access (in the first case) or db access (=sql injection in the second case), so both storage scenarios do little to mitigate the risk of session hijacking by themselves.
I can think of a possible mitigation strategy for DB-based sessions, if you use a different database for the session data, it shouldn't be possible to access the session ids from sql injections on the application database, and you only have to secure the session access module (as opposed to the entire application) to be sure that injections in the app database will not lead to stolen sessions.
This is something I thought of just now, so I can't say how viable it is, what do you guys think?
Both storage mechanisms (file and DB) have potential issues if the security is compromised. An attacker can potentially use other vulnerabilities to read the session ids by file access (in the first case) or db access (=sql injection in the second case), so both storage scenarios do little to mitigate the risk of session hijacking by themselves.
I can think of a possible mitigation strategy for DB-based sessions, if you use a different database for the session data, it shouldn't be possible to access the session ids from sql injections on the application database, and you only have to secure the session access module (as opposed to the entire application) to be sure that injections in the app database will not lead to stolen sessions.
This is something I thought of just now, so I can't say how viable it is, what do you guys think?