In my relentless quest to come up with an alternative solution to prevent Session Hijacking via sniffing network packets without running a web site entirely through HTTPS/SSL, I have come up with a solution, "thinking outside the box", or at least I think I have.
Regardless of whether or not my method increases CPU performance, I'm asking everyone who reads this, am I correct in saying that this an alternative solution?
For this to work, ALL your web pages must look something like this:
Code: Select all
<?php
//redirect user back to this page if missing www. in the URL (no http://myweb.com) here.
$randomcode = ; //generate random code here
?>
<html>
<head>
<title>Web Page</title>
</head>
<body>
<img src="http://myweb.com/images/logo.gif" border="0" />
<img src="http://www.myweb.com/redirect.php?nocache=<?php echo $randomcode ?>" />
<h2>Welcome to myWeb.com!</h2>
</body>
</html>Your web page URLs must include the www. (e.g. http://www.yourweb.com/page.php).
The next important thing is all other non web page files, such as JS, CSS, DOC, ZIP, GIF, JPG, etc. must have a URL without the www. (e.g. http://yourweb.com/images/logo.gif).
The reason for this is because APACHE/PHP creates different session identifiers for both URLs (verify server settings). This prevents non web page requests passing the sess ID through http. Better yet, create a sub domain (http://upload.yourweb.com/images/logo.gif). Yahoo.com goes one step further and creates a whole new web domain name.
RegenerateIdentifier.php
Code: Select all
<?php
//FAST SSL - Regenerate session identifier
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");
session_start();
session_regenerate_id(FALSE);
?>redirect.php
Code: Select all
<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");
header('Location: https://www.myweb.com/RegenerateIdentif ... code($_GET["nocache"])));
?>Cons to this method:
Three page requests.
Regenerating Session Identifier with every page request.
The HTTPS request could fail if a user clicks a link or stops or closes their browser too soon.
Basically, here is what happens:
1. User has logged in.
2. User requests http://www.yourweb.com/page.php
3. Page.php sends another request (image) for http://www.yourweb.com/redirect.php?h86d5uij6
4. Redirect.php makes a final secure request (redirect) to https://www.yourweb.com/RegenerateIdent ... =h86d5uij6
The last request changes the users session identifier securely to something only the client and the server know.