Page 1 of 2

PHP Session Security

Posted: Wed Dec 03, 2008 12:38 pm
by xfactor5
For Checking sessions security i have checked some resources there were nothing for general cases in lots of them checking user agent was suggested but i think its not enough .
Any other ideas about session security (fixation,hijacking,...) ?

Re: PHP Session Security

Posted: Fri Dec 05, 2008 1:11 pm
by SteveC
xfactor5 wrote:For Checking sessions security i have checked some resources there were nothing for general cases in lots of them checking user agent was suggested but i think its not enough .
Any other ideas about session security (fixation,hijacking,...) ?
Yes,

IP address. Even a reverse look up.

If the IP address was 212.159.111.71, you would might want to take the first 24 bytes (212.159.111.) and match them every time the session is accessed. If the IP address has changed, prompt for a password to authenticate the new IP. If the new IP is only a little off the old one (for example, 212.158.111.71) then give an option to reduce the security level.

This doesn't work for everybody, and you need some failsafes as to not frustrate users. But it definitely helps.

Re: PHP Session Security

Posted: Sat Dec 06, 2008 2:49 am
by xfactor5
actually i want this for an a automatic php based firewall . i have finished lots of sections but sessions is remaining . this seemsnice but i need a more general method whic works on applications without modifying sourcecode

Imen Web Firewall Feutures :
- SQL Injectioin Blocker
- XSS Blocker
- Flood Blocker
- Session security
- File Security
- PHP Settings Advisor
- Script Bug Finder
and more than 20 other feutures !

Re: PHP Session Security

Posted: Sun Dec 07, 2008 3:42 pm
by Mordred
I don't want to sound offensive, but I'm afraid the facts speak for themselves:
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)

Re: PHP Session Security

Posted: Mon Dec 08, 2008 10:10 am
by SteveC
xfactor5 wrote:actually i want this for an a automatic php based firewall . i have finished lots of sections but sessions is remaining . this seemsnice but i need a more general method whic works on applications without modifying sourcecode

Imen Web Firewall Feutures :
- SQL Injectioin Blocker
- XSS Blocker
- Flood Blocker
- Session security
- File Security
- PHP Settings Advisor
- Script Bug Finder
and more than 20 other feutures !
I think you need to elaborate on what you're actually trying to do.

Re: PHP Session Security

Posted: Tue Dec 09, 2008 1:15 am
by xfactor5
Mordred wrote:I don't want to sound offensive, but I'm afraid the facts speak for themselves:
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)
Web Firewall is not important its only a simple name for my project for example look at firewallscript.com
Other parts are ok most of problem i have is sessions give solutions please

Re: PHP Session Security

Posted: Mon Dec 15, 2008 11:45 am
by kaisellgren
xfactor5 wrote:
Mordred wrote:I don't want to sound offensive, but I'm afraid the facts speak for themselves:
1. You aren't very much familiar with the basics of session security. Nothing wrong with that, if not for the fact that
2. You are building a security product (I'm not sure what "web firewall" means exactly)
Web Firewall is not important its only a simple name for my project for example look at firewallscript.com
Other parts are ok most of problem i have is sessions give solutions please
If someone says he created 100% safe code, I do not trust him.
If something (like a firewall) is supposed to defend your script, I do not trust even that much...

The real security comes from the coders itself. You should learn the terms, attack techniques, general security advices, etc and protect yourself from them.

When you check against the users IP, some people have IP addresses that change even in every page load (dynamic IPs). Some people have connections which IP changes once a day, or once a week, etc. You should definetly make it an option somewhere in the control panel to restrict the access to certain IP ranges like xxx.xxx.xxx.0-255 where the last numbers do not need to match like told earlier.

Re: PHP Session Security

Posted: Wed Dec 17, 2008 3:00 pm
by xfactor5
kaisellgren wrote: If someone says he created 100% safe code, I do not trust him.
If something (like a firewall) is supposed to defend your script, I do not trust even that much...

The real security comes from the coders itself. You should learn the terms, attack techniques, general security advices, etc and protect yourself from them.

.
That is obvious , it will not make applications or scripts secure . My project is a set of tools for providing more security , actually a selection between "normal" and a "more secure" application . For expample it scans post and get :
it is not common to find this in data sent by user " ' or 1=1 -- "
Now what should i do for sessions ? Soloutions ,please !

Re: PHP Session Security

Posted: Wed Dec 17, 2008 11:17 pm
by SteveC
The problem is, you're not really specifying what you want from us. We don't know exactly what you're trying to do, so how can we give you a solution?

Re: PHP Session Security

Posted: Thu Dec 18, 2008 5:44 am
by xfactor5
How do you check sessions to find out if the requester is the starter of session or not .

Re: PHP Session Security

Posted: Thu Dec 18, 2008 7:18 am
by kaisellgren
xfactor5 wrote:How do you check sessions to find out if the requester is the starter of session or not .
There is no ultimate solution. If I login to this phpBB forum, anyone using my PC can write with my account. So you can not identify a user. If you want to identify a PC that is also quite impossible since you are barely receiving any details about the PC from the client's HTTP request. If you want to identify a unique connection, you may use IP, however, it might change. Web browsers usually provide you user agent, operating system details that you may use. A few things you can do is to make sure you ask the password if the user agent changes or if the IP changes too much (which means the last part of the IP may change). Apart from that, there's not much you can do about it. You may use Flash, ActiveX, something beyond JavaScript to grab information about users PC, like hardware details and use them... but this is not very user friendly to ask to install some ActiveX components or anything else.

You should make sure the session identifier is truly random and unguessable. If you then combine it with slight IP checking and user agent checking as well as a timeout limit for the session, then you are safe enough unless you have other security vulnerabilities in your site such as XSS holes or so. In my script I timeout the session every 30 mins, I made a JS that displays a login box in 30mins, so that if the user has written lots of content and then gets logged out he will get <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> off, but the JS now popups a login window and he can login directly in the same page without losing anything (AJAX).

Hope that helps.

Re: PHP Session Security

Posted: Fri Dec 19, 2008 8:00 am
by xfactor5
Thanks For Your Help !
Fortunately My Project is powerful in detecting XSS and Injections . If you have any ideas to share about other attacks please post .

Re: PHP Session Security

Posted: Fri Dec 19, 2008 8:22 am
by kaisellgren
xfactor5 wrote:Thanks For Your Help !
Fortunately My Project is powerful in detecting XSS and Injections . If you have any ideas to share about other attacks please post .
No offence, but you should not say (or think) that your project is 'powerful' in detecting XSS and injections. That word does not really mean anything after all. If someone success with XSS attacks, that means your project has never been powerful - or has it? What does it actually mean? I would rather say my project protects from XSS attacks, which means I do my best to protect from everything, and if under any circumstances some attacks work, I'll patch my script. I'm not exactly sure what injections where you talking about, but I'm assuming you were talking about the most common topic of injections: SQL injections, then you might want to create some sort of automatic escape feature for your project.

http://zend.is-hacked.com/2008/sql-prepared-statements/

So you wanted me to share about other attacks? I think there are enough articles on the Internet about security, I'll name you a few topics you may want to know about: CSRF, SQL Injections, Chain Attacks, Header Injections, Session Fixation, Session Hijacking, Man-In-The-Middle, Session Forging, Cookie Forging, Session Poisoning, Register Globals, Magic Quotes, XSS, Data Hashing, Installer Lock, Remote Code Attacks, IP Banning, Brute Force, Error Reporting, CAPTCHA Protection, Flooding, Salting, Saucing, Peppering, Truncation attacks, Weak Randomness, Filesystem permissions, Buffer Overflows, Session Management, IP logging, SSL, Cookie encryption, I could just keep going... :D

Re: PHP Session Security

Posted: Fri Dec 19, 2008 11:17 am
by xfactor5
By Powerful I mean it can detect all of the xss attacks in XSS Cheat Sheet or In SQL Injection Cheat sheet
Even if the attacker trys to confuse it by adding space , characters , changing order ,...
And It is not 100% secure but powerful in its level

Re: PHP Session Security

Posted: Fri Jan 23, 2009 10:45 pm
by rami
kaisellgren wrote:
xfactor5 wrote:
So you wanted me to share about other attacks? I think there are enough articles on the Internet about security, I'll name you a few topics you may want to know about: CSRF, SQL Injections, Chain Attacks, Header Injections, Session Fixation, Session Hijacking, Man-In-The-Middle, Session Forging, Cookie Forging, Session Poisoning, Register Globals, Magic Quotes, XSS, Data Hashing, Installer Lock, Remote Code Attacks, IP Banning, Brute Force, Error Reporting, CAPTCHA Protection, Flooding, Salting, Saucing, Peppering, Truncation attacks, Weak Randomness, Filesystem permissions, Buffer Overflows, Session Management, IP logging, SSL, Cookie encryption, I could just keep going... :D
well i am just sending my query trying to know...
does the application u write consider or migitage all these (I could just keep going... ) vunerabilities/threats in to account?