PHP Session Security
Moderator: General Moderators
PHP Session Security
For Checking sessions security i have checked some resources there were nothing for general cases in lots of them checking user agent was suggested but i think its not enough .
Any other ideas about session security (fixation,hijacking,...) ?
Any other ideas about session security (fixation,hijacking,...) ?
Re: PHP Session Security
Yes,xfactor5 wrote:For Checking sessions security i have checked some resources there were nothing for general cases in lots of them checking user agent was suggested but i think its not enough .
Any other ideas about session security (fixation,hijacking,...) ?
IP address. Even a reverse look up.
If the IP address was 212.159.111.71, you would might want to take the first 24 bytes (212.159.111.) and match them every time the session is accessed. If the IP address has changed, prompt for a password to authenticate the new IP. If the new IP is only a little off the old one (for example, 212.158.111.71) then give an option to reduce the security level.
This doesn't work for everybody, and you need some failsafes as to not frustrate users. But it definitely helps.
Re: PHP Session Security
actually i want this for an a automatic php based firewall . i have finished lots of sections but sessions is remaining . this seemsnice but i need a more general method whic works on applications without modifying sourcecode
Imen Web Firewall Feutures :
- SQL Injectioin Blocker
- XSS Blocker
- Flood Blocker
- Session security
- File Security
- PHP Settings Advisor
- Script Bug Finder
and more than 20 other feutures !
Imen Web Firewall Feutures :
- SQL Injectioin Blocker
- XSS Blocker
- Flood Blocker
- Session security
- File Security
- PHP Settings Advisor
- Script Bug Finder
and more than 20 other feutures !
Re: PHP Session Security
I don't want to sound offensive, but I'm afraid the facts speak for themselves:
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)
Re: PHP Session Security
I think you need to elaborate on what you're actually trying to do.xfactor5 wrote:actually i want this for an a automatic php based firewall . i have finished lots of sections but sessions is remaining . this seemsnice but i need a more general method whic works on applications without modifying sourcecode
Imen Web Firewall Feutures :
- SQL Injectioin Blocker
- XSS Blocker
- Flood Blocker
- Session security
- File Security
- PHP Settings Advisor
- Script Bug Finder
and more than 20 other feutures !
Re: PHP Session Security
Web Firewall is not important its only a simple name for my project for example look at firewallscript.comMordred wrote:I don't want to sound offensive, but I'm afraid the facts speak for themselves:
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)
Other parts are ok most of problem i have is sessions give solutions please
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Session Security
If someone says he created 100% safe code, I do not trust him.xfactor5 wrote:Web Firewall is not important its only a simple name for my project for example look at firewallscript.comMordred wrote:I don't want to sound offensive, but I'm afraid the facts speak for themselves:
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)
Other parts are ok most of problem i have is sessions give solutions please
If something (like a firewall) is supposed to defend your script, I do not trust even that much...
The real security comes from the coders itself. You should learn the terms, attack techniques, general security advices, etc and protect yourself from them.
When you check against the users IP, some people have IP addresses that change even in every page load (dynamic IPs). Some people have connections which IP changes once a day, or once a week, etc. You should definetly make it an option somewhere in the control panel to restrict the access to certain IP ranges like xxx.xxx.xxx.0-255 where the last numbers do not need to match like told earlier.
Re: PHP Session Security
That is obvious , it will not make applications or scripts secure . My project is a set of tools for providing more security , actually a selection between "normal" and a "more secure" application . For expample it scans post and get :kaisellgren wrote: If someone says he created 100% safe code, I do not trust him.
If something (like a firewall) is supposed to defend your script, I do not trust even that much...
The real security comes from the coders itself. You should learn the terms, attack techniques, general security advices, etc and protect yourself from them.
.
it is not common to find this in data sent by user " ' or 1=1 -- "
Now what should i do for sessions ? Soloutions ,please !
Re: PHP Session Security
The problem is, you're not really specifying what you want from us. We don't know exactly what you're trying to do, so how can we give you a solution?
Re: PHP Session Security
How do you check sessions to find out if the requester is the starter of session or not .
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Session Security
There is no ultimate solution. If I login to this phpBB forum, anyone using my PC can write with my account. So you can not identify a user. If you want to identify a PC that is also quite impossible since you are barely receiving any details about the PC from the client's HTTP request. If you want to identify a unique connection, you may use IP, however, it might change. Web browsers usually provide you user agent, operating system details that you may use. A few things you can do is to make sure you ask the password if the user agent changes or if the IP changes too much (which means the last part of the IP may change). Apart from that, there's not much you can do about it. You may use Flash, ActiveX, something beyond JavaScript to grab information about users PC, like hardware details and use them... but this is not very user friendly to ask to install some ActiveX components or anything else.xfactor5 wrote:How do you check sessions to find out if the requester is the starter of session or not .
You should make sure the session identifier is truly random and unguessable. If you then combine it with slight IP checking and user agent checking as well as a timeout limit for the session, then you are safe enough unless you have other security vulnerabilities in your site such as XSS holes or so. In my script I timeout the session every 30 mins, I made a JS that displays a login box in 30mins, so that if the user has written lots of content and then gets logged out he will get <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> off, but the JS now popups a login window and he can login directly in the same page without losing anything (AJAX).
Hope that helps.
Re: PHP Session Security
Thanks For Your Help !
Fortunately My Project is powerful in detecting XSS and Injections . If you have any ideas to share about other attacks please post .
Fortunately My Project is powerful in detecting XSS and Injections . If you have any ideas to share about other attacks please post .
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Session Security
No offence, but you should not say (or think) that your project is 'powerful' in detecting XSS and injections. That word does not really mean anything after all. If someone success with XSS attacks, that means your project has never been powerful - or has it? What does it actually mean? I would rather say my project protects from XSS attacks, which means I do my best to protect from everything, and if under any circumstances some attacks work, I'll patch my script. I'm not exactly sure what injections where you talking about, but I'm assuming you were talking about the most common topic of injections: SQL injections, then you might want to create some sort of automatic escape feature for your project.xfactor5 wrote:Thanks For Your Help !
Fortunately My Project is powerful in detecting XSS and Injections . If you have any ideas to share about other attacks please post .
http://zend.is-hacked.com/2008/sql-prepared-statements/
So you wanted me to share about other attacks? I think there are enough articles on the Internet about security, I'll name you a few topics you may want to know about: CSRF, SQL Injections, Chain Attacks, Header Injections, Session Fixation, Session Hijacking, Man-In-The-Middle, Session Forging, Cookie Forging, Session Poisoning, Register Globals, Magic Quotes, XSS, Data Hashing, Installer Lock, Remote Code Attacks, IP Banning, Brute Force, Error Reporting, CAPTCHA Protection, Flooding, Salting, Saucing, Peppering, Truncation attacks, Weak Randomness, Filesystem permissions, Buffer Overflows, Session Management, IP logging, SSL, Cookie encryption, I could just keep going...
Re: PHP Session Security
By Powerful I mean it can detect all of the xss attacks in XSS Cheat Sheet or In SQL Injection Cheat sheet
Even if the attacker trys to confuse it by adding space , characters , changing order ,...
And It is not 100% secure but powerful in its level
Even if the attacker trys to confuse it by adding space , characters , changing order ,...
And It is not 100% secure but powerful in its level
Re: PHP Session Security
well i am just sending my query trying to know...kaisellgren wrote:xfactor5 wrote:
So you wanted me to share about other attacks? I think there are enough articles on the Internet about security, I'll name you a few topics you may want to know about: CSRF, SQL Injections, Chain Attacks, Header Injections, Session Fixation, Session Hijacking, Man-In-The-Middle, Session Forging, Cookie Forging, Session Poisoning, Register Globals, Magic Quotes, XSS, Data Hashing, Installer Lock, Remote Code Attacks, IP Banning, Brute Force, Error Reporting, CAPTCHA Protection, Flooding, Salting, Saucing, Peppering, Truncation attacks, Weak Randomness, Filesystem permissions, Buffer Overflows, Session Management, IP logging, SSL, Cookie encryption, I could just keep going...
does the application u write consider or migitage all these (I could just keep going... ) vunerabilities/threats in to account?