session validation method
Moderator: General Moderators
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
session validation method
I had an idea for a method to validate sessions.
When the user logs in a random hash gets generated. This hash gets stored in the session and in the users cookies. When he goes to a new page the cookie gets checked against the session, along with the session id and if things match up a new hash gets generated and stored in both places.
Basically, every time they load a page a new hash gets generated to check the next page.
I was hoping that this would be a good method to prevent session hijacking because even if the traffic was eavesdropped on, the eavesdropper would have to use the information quickly because if the user loaded a new page the old hash would be garbage.
Thoughts? Comments? I am just starting to learn about the world of security so please, any insight no matter how insignificant can be helpful. Would this be effective? What about overhead, could this method create a lot of unnecessary overhead?
Thanks,
Shawn
When the user logs in a random hash gets generated. This hash gets stored in the session and in the users cookies. When he goes to a new page the cookie gets checked against the session, along with the session id and if things match up a new hash gets generated and stored in both places.
Basically, every time they load a page a new hash gets generated to check the next page.
I was hoping that this would be a good method to prevent session hijacking because even if the traffic was eavesdropped on, the eavesdropper would have to use the information quickly because if the user loaded a new page the old hash would be garbage.
Thoughts? Comments? I am just starting to learn about the world of security so please, any insight no matter how insignificant can be helpful. Would this be effective? What about overhead, could this method create a lot of unnecessary overhead?
Thanks,
Shawn
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: session validation method
Yes, generating a secret key is a good way to validate sessions.
(#10850)
Re: session validation method
So, this protection works only agains senile and slow attackers 
No, you protect against session hijacking by not letting the attacker steal the SID.You may take some mitigation measures, like checking the ip, but they may only make it harder to attack, not prevent it.
There are two basic ways of stealing the SID:
1. Sniffing traffic. This is an attack towards a lower level protocol than you, for protection against it you must use a lower lever protection - TLS (https) and "secure" cookies.
2. Stealing it by leaking it over a side channel (i.e. XSS), which is prevented by not having XSS holes in your site (which is a complex topic by itself)
And for completeness:
3. Guessing. I've seen people generate their SIDs manually like that: $sid = md5(rand(1,10000))
No, you protect against session hijacking by not letting the attacker steal the SID.You may take some mitigation measures, like checking the ip, but they may only make it harder to attack, not prevent it.
There are two basic ways of stealing the SID:
1. Sniffing traffic. This is an attack towards a lower level protocol than you, for protection against it you must use a lower lever protection - TLS (https) and "secure" cookies.
2. Stealing it by leaking it over a side channel (i.e. XSS), which is prevented by not having XSS holes in your site (which is a complex topic by itself)
And for completeness:
3. Guessing. I've seen people generate their SIDs manually like that: $sid = md5(rand(1,10000))
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: session validation method
HTTPS is the most secure method but I think it's also important to make the attack as hard as possible, not everyone is going to use https.
This method would take care of number 3. Number 2 is a problem in and of itself and needs to be dealt with, but is not what I am trying to focus on here.
Number 1 is what I'm trying to deal with here, but without https for the sake of learning. What is it you mean by "secure" cookies?
Isn't checking IPs kind of tricky because some people use proxies? I read it causes trouble for people with AOL.
What other holes does my method have? And yes, it will only work against slow and senile attackers
but it's meant to be part of a solution.
This method would take care of number 3. Number 2 is a problem in and of itself and needs to be dealt with, but is not what I am trying to focus on here.
Number 1 is what I'm trying to deal with here, but without https for the sake of learning. What is it you mean by "secure" cookies?
Isn't checking IPs kind of tricky because some people use proxies? I read it causes trouble for people with AOL.
What other holes does my method have? And yes, it will only work against slow and senile attackers
Re: session validation method
You can force them to use HTTPS. Look at Google Mail, Online Banking, etc.shawngoldw wrote:HTTPS is the most secure method but I think it's also important to make the attack as hard as possible, not everyone is going to use https.
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: session validation method
Sorry, I don't mean every user, I mean every server.
For instance, devnetwork doesn't use http. But I would like to think they still try to keep my session secure.
For instance, devnetwork doesn't use http. But I would like to think they still try to keep my session secure.
Re: session validation method
Your method sounds fine, but it should be used in conjunction with HTTPS to be truly secure.
phpBB does have some session security, but ultimately, as we are not using HTTPS, the session is being transmitted in plaintext with each request - anyone can sniff that.
phpBB does have some session security, but ultimately, as we are not using HTTPS, the session is being transmitted in plaintext with each request - anyone can sniff that.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: session validation method
And what do you have for people who take coffee breaks while staying logged in?
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: session validation method
Don't take coffee breaks
This is a more difficult problem. I do not want to make sure that the ip stays constant because not everybody has a static ip.
As of right now I have a method planned which will kick an eavsdropper off your account when you come back from your coffee break but it's far from perfect because it doesn't stop them from getting on in the first place.
I'm not sure of the best way to go about this because as I see it some sort of credential needs to be stored in the client's cookies, but these are vulnerable to attack. As of now I can only limit the effectiveness of that attack, not prevent it. I'm having the same problem with the "Remember Me" feature.
Do you have a suggestion Kaisellgren? or anyone?
This is a more difficult problem. I do not want to make sure that the ip stays constant because not everybody has a static ip.
As of right now I have a method planned which will kick an eavsdropper off your account when you come back from your coffee break but it's far from perfect because it doesn't stop them from getting on in the first place.
I'm not sure of the best way to go about this because as I see it some sort of credential needs to be stored in the client's cookies, but these are vulnerable to attack. As of now I can only limit the effectiveness of that attack, not prevent it. I'm having the same problem with the "Remember Me" feature.
Do you have a suggestion Kaisellgren? or anyone?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: session validation method
You can't prevent those attacks unless you are using strong session identifiers and TLS.shawngoldw wrote:As of now I can only limit the effectiveness of that attack, not prevent it.
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: session validation method
Right, I've got the key I mentioned in my OP, user agent, and ip tracking to help limit the attack. SSL will be an optional component of the site.kaisellgren wrote:You can't prevent those attacks unless you are using strong session identifiers and TLS.shawngoldw wrote:As of now I can only limit the effectiveness of that attack, not prevent it.
I won't be making sure that IPs stay static but I will be tracking them and if something suspicious is happening the suspicious ip will be logged out.
Together I hope this will help lower the effectiveness of an attack
-
fortnox007
- Forum Newbie
- Posts: 2
- Joined: Sat Aug 07, 2010 8:51 pm
Re: session validation method
Hi all,
Everybody is talking about that everybody can sniff if https isn't used.Now this might be a dumb question but how on earth can you do sniff that info.
Learning sessions is one thing but without know what is attacking you its even harder to protect one self. If anyone reads this , could he maybe point a new php'-er in the right direction of learning to snif. would be more than pleased
Everybody is talking about that everybody can sniff if https isn't used.Now this might be a dumb question but how on earth can you do sniff that info.
Learning sessions is one thing but without know what is attacking you its even harder to protect one self. If anyone reads this , could he maybe point a new php'-er in the right direction of learning to snif. would be more than pleased
Re: session validation method
You just use a packet sniffer tool to do it, select your protocol (in this case, HTTP) open the packet and decode its contents and all the information is in there. There are plenty of utilities out there, just Google it.