tags:

views:

44

answers:

1
+3  Q: 

Logout hashes, how are they handled ?

What's the way the logout hashes are usually handled in php?

on a lot of sites there's usually logout hashes to confirm that the user that's logging out is teh correct user, how is this usually handled ?

Examples

http://domain.com/user/logout/nil4ytwojytjwoytjwy5tw5

nil4ytwojytjwoytjwy5tw5 being the hash

Just an update of my research so that others can see how this works.

I figured out that this type of attack is mainly used with xero-byte images and iframes as such.

if your logged into SITE A and your also browsing SITE B, SITE B cauld place lets say an image tag:

<img src="http://SITE_A.com/logout/" width="1" height="1" style="display:none" />

and because therequest has actually come from the legitimate logged in user, the request is processed.

by adding a validation value to important forms, such as transfer account, logout etc, the hacker cannot get this value and therefore the request would no be executed!

Thanks for your help

+1  A: 

This is to Stop CSRF. The value is a "csrf token" which is a cryptographic nonce (random number) that is stored as a session variable. It is checked to make sure that the request originated from the same site and not forged from an attacker's site.

Rook  2010-08-25 22:56:37
so there's no difference to a a regular form validation hash?
RobertPitt  2010-08-25 23:05:09
@RobertPitt shouldn't be, it doesn't matter if the random value is generated with a message digest function or by other means. In fact it could be a hash in a different base, it doesn't look that random it has a lot of repeat chars...
Rook  2010-08-25 23:06:41
Is CSRF Related to Session Hijacking ? if so I have implemented session hijacking prevention tactics! - have you got any guides on how CSRF is done, so i can get a better understanding of it ?
RobertPitt  2010-08-25 23:17:19
@RobertPitt No I think they are distinct. Also OWASP has them separated. Session Hijacking is more of obtaining out a victim's session id and using it to authenticate. CSRF is forcing the victim's browser into making requests for you. First i would read the Google Browser Security Handbook, then I would read the OWASP pages on these attacks.
Rook  2010-08-25 23:19:57
thanks so much for your help, and im shore google's chrome handbook would be a great start
RobertPitt  2010-08-25 23:22:23
@RobertPitt its all popular browsers, not just chrome. They break down the rules for each one.
Rook  2010-08-25 23:24:24
Ive just read an article that states that Firefox doe not prevent this by default and google has stated that they do by placing each tab into there own "zones" / "processes" but obviously ill be reading more on that matter.
RobertPitt  2010-08-25 23:26:10
@RobertPitt you can't have an auto-defense against csrf. No browser or web application firewall addresses the issue.
Rook  2010-08-25 23:38:26
yea, this is why i said i would have to read more about it, because I didn't think that myself!
RobertPitt  2010-08-25 23:43:38

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases