SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Oct 2006
    Posts
    132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    sessions and security

    I think improper session handling may have allowed someone to access that admin functions of a survey. The survey script uses session cookies like many other scripts. I got it from yahoo web hosting and made an assumption that they ensured that the script was secure. My # 1 mistake...making an assumption.

    I had two active surveys on my site yesterday. Today when I checked, both surveys had been deleted.

    I looked through my access logs and found several places where the admin directory had been accessed by ip addresses that could not have been mine.

    My question is this: If I forget to log out, can the sessions be easily hijacked to allow someone to access functions that only I should have access to?

    Al

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There really is nothing "easy" about session hijacking, but if you forget to log out then yes, you are making it simpler to hijack your session by allowing a larger attack window.

    Some basic tips for securing your sessions:
    1) Make sure you are using only cookies - session IDs in the URL are just begging for a hijacking.
    2) Set your session expiration to be as short as is convenient. I set my admin-related expirations at 5 minutes or even shorter.

    Additionally, if you can know for certain that those using your sessions will not be changing IP during a session, use that as a secondary check, i.e. tie each session to a particular IP address and kill it if another IP tries to use it.
    PHP Code:
    //upon login, assign the IP address to a session variable
    $_SESSION['ip'] = $_SERVER['REMOTE_HOST'];

    //on each page, verify the IP address
    if($_SESSION['ip'] != $_SERVER['REMOTE_HOST'])
        die(
    "Possible hijacking attempt!!"); 
    Note that there are many clients out there behind dynamic hosts who will appear to "hop" from one IP address to another. I've seen some systems that will lock a session to an IP's subnet (based on the standard Class A, B, and C subnet definitions), which should still allow those clients to log in; others make it a user-configurable preference to "lock" the session to the current IP address (LiveJournal used to do this; MozillaZine does this).

    Most often what appears to be session hijacking is in fact a compromised username/password pair. Change your password, and if the problems cease that was likely the cause. Beware of XSS and social engineering attacks, and secure your site against XSS and educate your users about the risks of social engineering.
    PHP questions? RTFM
    MySQL questions? RTFM

  3. #3
    SitePoint Zealot
    Join Date
    Oct 2006
    Posts
    132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the pointers! I have some work to do!
    Al

  4. #4
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ive never used yahoo's hosting so i dont know if this is the case, but most shared hosts have session files all saved in the same dir. your session files are mixed with all the other websites' session files on the same machine. this also means that other people can freely read/write/delete/create YOUR session files. (offtopic, but this often comes along with them being able to read your php files too. yup, your db user/pass is there for the picking.)

    anyway,
    so...if i had a hosting account with yahoo, and i knew i was on the same server as you(that might not be too far fetched, theres many ways to find out), i might be able to control the contents of your sessions.

    but its probably more likely there is a security hole in:
    that script
    another script on your site
    maybe another site known to be on your server


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •