Session hijack

Server Config
1

I have a login page, with correct credentials I set a session variable and redirect to the index page


$_SESSION['isLoggedIn'] = true;
header('Location: index.php');
die();

and the index page first checks to see if $_SESSION[‘isLoggedIn’] is set, if yes the page loads, if no redirect back to the login page.

Since the page I am protecting with a log in form is accessed with a session variable, can the page be accessed via session hijacking? If it can what can I do about it?

Thanks

2

Through an SSL connection I don’t believe this can be hijacked.

3

What about without an SSL connection

4

Well, without SSL any traffic can actually be monitored over a network.
What are you using this code in that it would be “under a possible hack” though?

5

Not sure I understand you’re question. It’s just a log in form. Just want to make sure my log in logic is not open for a session hijack.

6

The very beginning of your code should start with <?php session_start(); … and don’t set sessions outside of that runtime loop.
It is good practice to set all your sessions in the main index file when starting each application page. This way the correct domain sets the session.
Hope this makes sense.

7

ok. one more question.

on login.php, with correct username and password, this code runs:


$_SESSION['isLoggedIn'] = true;
header('Location: index.php');
die();

so login.php creates $_SESSION[‘isLoggedIn’] and redirects to index.php. index.php checks to see if $_SESSION[‘isLoggedIn’] is set, if yes the page loads, if no index.php redirects back to login.php.

I don’t know much about session hijacking, but is it possible for someone to just create $_SESSION[‘isLoggedIn’] via some sort of session hack which would allow access to index.php, effectively by passing the login form?

8

It’s not as easy as you think just hijacking a session if you don’t know what the session name / id is. What I would do is rather set the session variable to a string, not a boolean value as then it’s even harder to tell the contents.

e.g.
Boolean can only be true or false, so if I figure out your session name, in this case “isLoggedIn” then all I have to do is set it as true or false and I’m in! … But if it were a string that was set to say: $_SESSION[“isLoggedIn”] = “useraccountidgoeshere”; then when it will take me a LOT longer to stumble on that value if I were hacking it in. Remember that you also don’t want to have standard values like “1”, “2”, or “3”, rather have base64encoded versions or anything really.

Understand?

9

Makes sense. How would one begin to hijack a session?