PHP Session Hacking

Discussion in 'PHP' started by Mayhem Design, Aug 21, 2006.

0
  1. #1
    Before anyone complains this is purely for testing a new script I have developed to see if there are any obvious holes in it. You hear a lot about session hacking so I thought it was something worth learning more about.

    I have developed a script for a login area to a simple CMS and I want to know how hackers get in and exploit sessions so that I know where I should be looking for holes. I'm not expecting anyone to post hacking code here, just pointers to what I should look out for.

    Basically I'm using a form to post user and password to a session script that starts the session and starts a timer. Every time the user navigates inside the admin area the timer is reset but will log the person out if they are inactive for 20mins. Is this the right approach and have I missed anything obvious.

    Thanks in advance for your time.
     
    Mayhem Design, Aug 21, 2006 IP
  2. Litewebsite

    Litewebsite Guest

    Messages:
    26
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #2
    PhpSec.org has a good security guide about php sessions. link: phpsec.org/projects/guide/4.html
     
    Litewebsite, Aug 21, 2006 IP
    Jobber and falcondriver like this.
  3. mihd

    mihd Peon

    Messages:
    136
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #3
    store you sessions in database

    mysql has a memory table type, its even faster than storing sessions in /tmp on the disk

    you can also do fancy things like number of users online

    and its secure ;)
     
    mihd, Aug 21, 2006 IP
  4. Mayhem Design

    Mayhem Design Peon

    Messages:
    28
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Thanks for the tips guys. That has given me some homework to do. Anyone else got any ideas?
     
    Mayhem Design, Aug 21, 2006 IP
  5. Jobber

    Jobber Peon

    Messages:
    33
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #5
    This is a fantastic link. I've been looking for something like this page for a little while. Great resource!
     
    Jobber, Aug 21, 2006 IP
  6. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #6
    This looks very interesting.
    I cannot understand what it is trying to explain though.

    We want to use regenerate_id() at what point in time?

    If i understand this correctly, when the user goes to log in and the new session vars are set, regenerate_id() should be used after the data is set so that this newly set information is found only with the new session id. If the attacker visists the site from the old session id, it is simply another logged out account.


    Is my understanding of this correct?
     
    drewbe121212, Aug 22, 2006 IP
  7. Litewebsite

    Litewebsite Guest

    Messages:
    26
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #7
    The session_regeneratie_id will create a new sesssion id and keeping the stored session data intact. However regeneratin a new session id for each request will put extra load on the server.

    If someone already are eavesdropping at your traffic between your browser and webserver they will also see the new id every time. My personal choice would be generating a new session id if the user goes to a securer area, like http -> to -> https pages.
     
    Litewebsite, Aug 23, 2006 IP