SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)

    session hijacking prevention with tokens, what am i missing here?

    i am researching session hijacking, so far i have read this line of code 5 times (or variations of it)
    Code PHP:
    <?php
     
      $token = md5(uniqid(rand(), TRUE)) ;
      $_SESSION['token'] = $token;
     
    ?>

    the idea behind it seems that if i add a token (unpredictable value) to the session, that then a session hijacker that stole my session (cookie theft for example) will not be authenticated because his token is incorrect.

    now as far as i understand, session data is stored within the server, and only the session id is stored on the client (usually in a cookie), so if this cookie is stolen, then the hijacker will automatically inherit the token rendering its (the token's) protection useless...

    what am i missing here?!?!?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,784
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    That code doesn't prevent session hijacking. It does serve other purposes relating to security of data but not if the session itself is hijacked.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    thanks for informing me, i knew that it did not prevent it, now i wonder why its mentioned so often on session theft prevention articles...

    It does serve other purposes relating to security of data
    what purpose does it serve?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •