Hi everyone. I just read on stackflow, that there is something called a session hijacking and I was worried that I did not know enough about it because, My sites use session for loggin in/out users without any cookies. Basically the session goes like : session_start(); if(isset($_SESSION['logging']) && !empty($_SESSION['logging'])){ return true; } else { return false; } Code (markup): So, this is the session I use to log in users after authentication. And, I don't know if this vulnerable or not, because I never allow cookies just sessions only. So, what is your view on this? How do i make this script more secure?
1) Hate to break it to you, but $_SESSION uses cookies to work -- a cookie called PHPSESSID Common misconception about that. 2) Session jacking just involves 'faking' all the information needed for a session, which in most cases is just IP address (easy if you're sharing wireless) and the PHP cookie... you can also if you can get the browser to redirect to certain types of getData or directory based commands simply get a user to visit a website, and poof you can send commands remotely using their permissions. But really, if they can sniff the needed data, or use the 'man in the middle' approach, there's not a lot you can do about it. You can add more information like user agent strings to slow down such attacks, but to be brutally frank, HTTP is just not that secure... cookies, sessions, tracking -- it's all a sham. HTTTPS improves the situation slightly, but it's just as vulnerable. Part of why I still say if it's something THAT important, what the blazes is it doing online?
95% of the times you are using sessions, you are also using cookies. Sessions need to be passed from one page to another, the majority of sites/scripts use cookies. The only script I seen up to now that does it the other way - passing it as variable via the URL is OsCommerce. ? If you do not pass the session Id via the URL and the cookie does not exist, session_start() will automatically generate a new session. ? Session Hijacking is the process of getting that Id and then using it. For example a logged in admin has session XYZ. You will Hijack their session by by either placing that Id in the cookie (by using a cookie editor) if the sessions are stored in cookies, or by appending it to the URL if you are passing sessions via the URL. Now the question you have is How can I get the session Id for the user? If you don't have the session, you can't hijack it. There are tons of ways to get a session for the user including by not limited to: 1) Users post the link to the page that includes the session Id not knowing the risk on forums, chats, etc.. 2) HTML, CSS, JS (etc..) Exploits. For example you are not safe displaying your search string in your search box (and it is coming from user input - either POST/GET), I will put the search term to be a JS code that will redirect the user to my PHP page with the session Id. I will spread that link to users and if someone happens to click on that link I created, their session will come to me if they are indeed a user of that website and are logged in. There are many techniques to stopping session hijacking, some of the methods I use: 1) Create your own session Ids, which are composed of special user entities - Like IP, browser agent, etc.. On every load, check if those data still match the data the user is in. So if the user hijacks my session, they would need to be using the same OS system, browser, be on the same IP, same system bit system. 2) On a high level security websites like banking, expire sessions after x minutes of inactivity.