views:

44

answers:

1

What's the way the logout hashes are usually handled in php?

on a lot of sites there's usually logout hashes to confirm that the user that's logging out is teh correct user, how is this usually handled ?

Examples

http://domain.com/user/logout/nil4ytwojytjwoytjwy5tw5

nil4ytwojytjwoytjwy5tw5 being the hash


Just an update of my research so that others can see how this works.

I figured out that this type of attack is mainly used with xero-byte images and iframes as such.

if your logged into SITE A and your also browsing SITE B, SITE B cauld place lets say an image tag:

<img src="http://SITE_A.com/logout/" width="1" height="1" style="display:none" />

and because therequest has actually come from the legitimate logged in user, the request is processed.

by adding a validation value to important forms, such as transfer account, logout etc, the hacker cannot get this value and therefore the request would no be executed!

Thanks for your help

+1  A: 

This is to Stop CSRF. The value is a "csrf token" which is a cryptographic nonce (random number) that is stored as a session variable. It is checked to make sure that the request originated from the same site and not forged from an attacker's site.

Rook
so there's no difference to a a regular form validation hash?
RobertPitt
@RobertPitt shouldn't be, it doesn't matter if the random value is generated with a message digest function or by other means. In fact it could be a hash in a different base, it doesn't look that random it has a lot of repeat chars...
Rook
Is CSRF Related to Session Hijacking ? if so I have implemented session hijacking prevention tactics! - have you got any guides on how CSRF is done, so i can get a better understanding of it ?
RobertPitt
@RobertPitt No I think they are distinct. Also OWASP has them separated. Session Hijacking is more of obtaining out a victim's session id and using it to authenticate. CSRF is forcing the victim's browser into making requests for you. First i would read the Google Browser Security Handbook, then I would read the OWASP pages on these attacks.
Rook
thanks so much for your help, and im shore google's chrome handbook would be a great start
RobertPitt
@RobertPitt its all popular browsers, not just chrome. They break down the rules for each one.
Rook
Ive just read an article that states that Firefox doe not prevent this by default and google has stated that they do by placing each tab into there own "zones" / "processes" but obviously ill be reading more on that matter.
RobertPitt
@RobertPitt you can't have an auto-defense against csrf. No browser or web application firewall addresses the issue.
Rook
yea, this is why i said i would have to read more about it, because I didn't think that myself!
RobertPitt