Re: [PHP] RE: Protecting from session hijacking

Wed, 04 Jul 2001 09:12:49 -0700 

Ian Bagley pressed the little lettered thingies in this order...

> One thing which would prevent hijacks from simply guessing SIDS would be to
> add an md5 hash to the end of a url.... 
> 
> e.g.
> 
> If a page was:- doit.php?item=4&SID=237478
> 
> then append the url with the md5 of the url PLUS a secret key generated at
> the begining of each session:- i.e. add
> MD5("doit.php?item=4&SID=237478"."R4WED4TTE3") results in the new url
> like....
> 
> doit.php?item=4&SID=237478&EXTRA=GTW4YGSE52FD234WERW634DG5WE653WEF
> 
> ...then the browsed to page could easily verify if ANY details of the query
> string have been changed! This also pretects other info being changed such
> at in this example 'item'.
> 
> If a user changed the SID to anything else, even a perfectly valid active
> session it would result in the EXTRA key no longer being valid! and as they
> don't have access to the secret key they wouldn't be able to generate a new
> one! :) 
> 
> Obviously if someone copied the entire url including the extra bit then
> they would have access! but this solution does have the added benefit of
> preventing the valid owner of a valid session from changing other bits of
> the query string!
> 
> Ian

This thread isn't about "guessing" a session ID, it's about "stealing" a 
session ID.  The same asnwer applies to your response as to the 
original question.

There was a thread about this just a few days ago, but the answer for 
*most* applications is an astounding, "NO."  Unless you are running the 
entire transaction through SSL, any packet sniffer on the network can 
view, steal and use ANYTHING you send over the netowrk (including the 
value of a session ID that is being sent as a cookie value, the username 
and password for a telnet session, the username and password for an 
FTP session, etc). Packet sniffers are incredibly easy to find, get and 
use (even for "script kiddies"). If your session data is *that* vital, you 
should consider using SSL.

This is likely to be true as long as HTTP transmissions are stateless.

Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Meeting cutting edge dynamic
web site needs

For a good time,
http://www.AppIdeas.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to