tags:

views:

74

answers:

1
+2  Q: 

Session security: Zend_Session_Validator_HttpUserAgent

There is a nice article on denzone about avoiding identity theft. However it was written before Zend_Session_Validator_HttpUserAgent came in.

How do I use Zend_Session_Validator_HttpUserAgent?

Zend_Sesion::registerValidator(new Zend_Session_Validator_HttpUserAgent());
Zend_Session::rememberMe();

Is that all?

A: 

It looks like this function is apart of a family of classes that do this:

This method should be used to retrieve the environment variables that will be needed to 'validate' a session.

This is so stupid it hurts. When your session is hijacked using XSS it will probably be sent as a GET request. In the incoming HTTP request will contain the USER_AGENT, as well as many other "environment variables" that the attacker can control.

Calling this approach a waste of time is an understatement. This is not a security feature, and sessions are can never be protected in this way.

If you want to protection your sessions scan for xss, patch CSRF, use https for the entire session. Read the OWASP top 10 for 2010, especially A3: "Broken authentication and session management."

Rook  2010-04-06 16:35:25
takeshin  2010-04-06 17:18:56
The $_SESSION['REMOTE_ADDR'] is the only thing the attacker cannot influence, and there for is the only comparison that will add any secuirty to the system. However, this breaks some corporate load balancing which will send traffic out on an arbitrary ip. There is no point in checking any other value, the attacker is going to try and just do a "javascript:document.cookie='whatever'", and when that doesn't work he'll change his headers using tamper data or whatever until it works. Checking the user agent gives you 0% secuirty.
Rook  2010-04-06 19:04:30
@takeshin User Agent Switcher: https://addons.mozilla.org/en-US/firefox/addon/59 or go to about:config in your address bar.
Rook  2010-04-06 19:10:27
takeshin  2010-04-06 19:40:33
@takeshin I disagree, this system does not prevent the session from being stolen, no matter the condition. Thus it is 0%. An attacker could just forge the entire header by default because of completely broken security systems like the one you are describing.
Rook  2010-04-06 20:21:46
@The Rook Anyway, I still haven't seen the example usage for the validator I was asking for :)
takeshin  2010-04-06 20:50:46
@takeshin Yeah, I haven't heard you speak of a security system that stops attacks.
Rook  2010-04-06 23:21:53
if($_SESSION['USER_AGENT']!=$_SERVER['spoofed_USER_AGENT']){die('hacker');}
Rook  2010-04-06 23:25:01

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases