SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Addict itsource's Avatar
    Join Date
    Jun 2001
    Location
    Thailand
    Posts
    369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Session hijacking

    Next week, I will present my project about web security with my advisor. I have many question with session hijack

    1. If I login in some website and url is http://www.somewebsite.com/staff.php...45678910abcdef

    if someone use sniffer to sniff this url and enter this url. So he can use my session and act as me in this session. Is this call Session hijack?

    2. if 1 is session hijack. If http://www.somewebsite.com/staff.php not pass session ID in url but keep Session ID in cookie on client (Which keep in memory not text file). In this situation, If intruder want to hijack session. Is intruder must have session ID in his computer's memory. Is it possible to do?

    3. in 1. someone use sniffer to sniff url and get http://www.somewebsite.com/staff.php...45678910abcdef but if this site use ssl , Is intruder can sniff and get url http://www.somewebsite.com/staff.php...45678910abcdef and act as me?

    4. I test by login into hotmail and yahoo mail. when I already login and click to inbox. I copy url in inbox page

    http://us.f144.mail.yahoo.com/ym/log...=4pr0eksnhfbc4
    and
    http://lw15fd.law15.hotmail.msn.com/...6ff083f01ad68f

    I sent this url to my frient and ask he to open it. but when he open this url. he get login form not inbox page.
    How these site make session secure?
    I live in Thailand. My English grammar not well.

  2. #2
    SitePoint Guru
    Join Date
    Apr 2001
    Location
    BC, Canada
    Posts
    630
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    a session isnt always displayed in your url

    u can be at "http://www.somesite.com/adduser.php3"
    and you can still have a session going saying that your are authorized, regardles if you have anything in the url

  3. #3
    SitePoint Addict kunal's Avatar
    Join Date
    Oct 2000
    Posts
    307
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    session hijacking... i really dont understand how this works... can some one explain this to silli old me?
    i dunno...

  4. #4
    SitePoint Addict itsource's Avatar
    Join Date
    Jun 2001
    Location
    Thailand
    Posts
    369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Session can pass in url like this forum.

    If user enable cookie. Session ID can save in cookie. but If user disable cookie, so session can pass in URL.
    I live in Thailand. My English grammar not well.

  5. #5
    SitePoint Enthusiast Goldfinger's Avatar
    Join Date
    Dec 2001
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes but the sessions expire after 300 or 180seconds of inactivity (forgot which was the default value) so the hacker would have to have the session name quickly.

  6. #6
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Session "Hijacking" is when another user gains access to another users session.

    However there cna be steps taken to stop this by using and verifying cookies and checking this against a session database. Expiring sessions allows for better security as well and minimizes the risk of hijacking.
    Aaron "Theiggsta" Kalin
    Pixel Martini
    Ruby and Rails Developer

  7. #7
    SitePoint Enthusiast Daniel287's Avatar
    Join Date
    Dec 2004
    Location
    Gold Coast, Australia
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wat iz sesshon?? pleeze explane

  8. #8
    SitePoint Enthusiast
    Join Date
    Dec 2004
    Location
    Johannesburg
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Point 3: SSL does make your session safer. All data between client and server (including session info) is encrypted.

    Point 4: I think hotmail and yahoo probably also log your IP address when you loggin. When your friend tries to use the same URL, it doesn't work because he has a different IP address.

  9. #9
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Parry Sound, ON
    Posts
    725
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1. Yes
    2. If he can sniff the URL you're trying to GET, he can sniff your cookies and anything else in your headers as well.
    3. He would have to both sniff your transmission and break the encryption.
    4. I imagine that happens because cookies are used to store other information about the session on your computer, such as a hash related to the session ID, which of course your friend's browser doesn't have. It could also be that the session simply expired.

    I recommend using FireFox with the LIveHTTPHeaders extension to look at what these sites and your browser are actually sending back and forth.

  10. #10
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just a little note: sessions aren't necessarily displayed in the url.

    They will be if PHP detects that the user disabled cookies. In this situation, PHP will automatically add the sessionID as a query string variable.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •