Re: [PHP] Stopping stolen / spoofed / linked sessions

Fri, 29 Jun 2001 17:52:40 -0700 

Hi
When you start a session for the first time store remote host info and 
validate it on subsequent accesses.
Tom

At 10:48 PM 28/06/01, [EMAIL PROTECTED] wrote:
>Hi adam!
>On Wed, 27 Jun 2001, adam (dahamsta) wrote:
>
> > [Please copy replies off-list.]
> >
> > I want to use PHP4 sessions for authentication, but I'm having difficulty
> > understanding how to get around users spoofing, stealing or linking 
> sessions.
> > Here's an example: Alice sends Bob a link from a site she's logged into.
> > Alice has cookies turned off in her browser, so the session id will be 
> in the
> > URL she sends Bob. Eve intercepts the message, follows the link and now 
> she
> > can take over Alice's session, and any data that is associated with that
> > session. For that matter, Bob can do the same thing.
> >
> > I can think of lots of ways around this, but most of them are kludges that
> > don't really cut it. I can store a second authentication value in a 
> cookie,
> > but that would require cookies, which isn't acceptable. I could 
> propogate a
> > second authentication variable in the URL, but that's a lot of hassle and
> > defeats the purpose of PHP sessions. I can check the HTTP_REFERER to 
> see if
> > the user came from my own site, but that can be spoofed. I can log and 
> check
> > the users IP address, but that can't be relied upon.
> >
> > Is there any reliable way around this? Am I missing something obvious?
> >
>there was a long and interesting thread on bugtraq @ securityfocus.com
>recently regarding this (it started w/ uploading images, I don't recall what
>was the subject, but you can figure some keywords to search for ;)
>
>Among proposed solutions was to send a ticket and validate it for each
>operation.
>
>Worth a search&read if you're a web developer.
>
>-- teodor
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to