views:

82

answers:

2

Reading through the many questions regarding session hijacking here on Stackoverflow, I've gathered that the only 'solution' to validating a users session is by checking the user agent, which is such a weak layer of protection that I don't even bother to implement it.

So, I was wondering what solutions you guys have implemented? Are you even using PHP's native sessions or is there a more secure solution?

A: 

Simply log the user out if the request has a different IP and/or hostname. As for people with dynamic IP's - well, logging in again is not that much of a problem.

Obviously the "right" way of dealing with it is implementing SSL.

Robus
Logging the user out when changing IPs will make trouble for AOL users, whose web gateway frequently switches IP addresses (If they still do that, they definitely did 2-3 years back).
Pekka
In that case, you could check the hostname if its in any way related to AOL and ignore the IP for a while.
Robus
Throwing the user off their session simply because they are behind a proxy farm network doesn't seem like a solid solution
soren.qvist
Well, other than that there's only SSL. Unless you want to add some hidden GET/POST values or additional cookies, but that's a rather vague way for additional security.
Robus
Meh, this can be bypassed. read my post.
Rook
+2  A: 

You don't need the session id in order to hijack a session. An XSS attack can go 1 of 2 ways. The most common is to read document.cookie and send it to a remote server (this request will also contain the victims USER_AGENT so checking this value is a complete a total waste of time as it doesn't prevent any attack what so ever). A cool security method developed by Microsoft is called HTTPOnly Cookies, and most browsers support this security feature.

HTTPOnly Cookies and checking the client's ip address doesn't stop all session hijacks. In fact if the attacker has an XSS vulnerability he can just forge requests using XHR on the victims browser and there for wouldn't need to know the value of the cookie.

At the end of the day in order to stop session hijacking you need to plug the vulnerabilities in your web application. Most importantly you need to prevent "Session Riding" which is also known as CSRF. You also need to prevent XSS vulnerabilities, Acunetix free edition is a good tool for finding them. . Last but certinly not least you must read the OWASP A3: Broken Authentication and Session Management. A common violation of OWASP A3 is that people don't use HTTPS for the entire session. At no point can you spill the value of the cookie over http, this has the exact same impact as if you spilled the username/password. If a hacker is sniffing the traffic he will have immediate access to your site.

Rook