security - PHP Session Fixation / Hijacking -
i'm trying understand more php session fixation & hijacking , how prevent these problems. i've been reading next 2 articles on chris shiflett's website:
session fixation session hijackinghowever, i'm not sure i'm understanding things correctly.
to help prevent session fixation plenty phone call session_regenerate_id(true); after logging in? think understand correctly.
he talks using tokens passed along in urls via $_get prevent session hijacking. how done exactly? i'm guessing when logs in generate token & store in session variable, on each page you'd compare session variable value of $_get variable?
would token need changed 1 time per session or on each page load?
also way of preventing hijacking without having pass value along in urls? alot easier.
ok, there 2 separate related problems, , each handled differently.
session fixationthis attacker explicitly sets session identifier of session user. typically in php it's done giving them url http://www.example.com/index...?session_name=sessionid. 1 time attacker gives url client, attack same session hijacking attack.
there few ways prevent session fixation (do of them):
set session.use_trans_sid = 0 in php.ini file. tell php not include identifier in url, , not read url identifiers.
set session.use_only_cookies = 1 in php.ini file. tell php never utilize urls session identifiers.
regenerate session id anytime session's status changes. means of following:
user authentication storing sensitive info in session changing session etc... session hijackingthis attacker gets hold of session identifier , able send requests if user. means since attacker has identifier, indistinguishable valid user respect server.
you cannot straight prevent session hijacking. can set steps in create hard , harder use.
use strong session hash identifier: session.hash_function in php.ini. if php < 5.3, set session.hash_function = 1 sha1. if php >= 5.3, set session.hash_function = sha256 or session.hash_function = sha512.
send strong hash: session.hash_bits_per_character in php.ini. set session.hash_bits_per_character = 5. while doesn't create harder crack, create difference when attacker tries guess session identifier. id shorter, uses more characters.
set additional entropy session.entropy_file , session.entropy_length in php.ini file. set former session.entropy_file = /dev/urandom , latter number of bytes read entropy file, illustration session.entropy_length = 256.
change name of session default phpsessid. accomplished calling session_name() own identifier name first parameter prior calling session_start.
if you're really paranoid rotate session name too, beware sessions automatically invalidated if alter (for example, if create dependent on time). depending on use-case, may option...
rotate session identifier often. wouldn't every request (unless really need level of security), @ random interval. want alter since if attacker hijack session don't want them able utilize long.
include user agent $_server['http_user_agent'] in session. basically, when session starts, store in $_session['user_agent']. then, on each subsequent request check matches. note can faked it's not 100% reliable, it's improve not.
include user's ip address $_server['remote_addr'] in session. basically, when session starts, store in $_session['remote_ip']. may problematic isps utilize multiple ip addresses users (such aol used do). if utilize it, much more secure. way attacker false ip address compromise network @ point between real user , you. , if compromise network, can far worse hijacking (such mitm attacks, etc).
include token in session , on browsers side increment , compare often. basically, each request $_session['counter']++ on server side. in js on browsers side same (using local storage). then, when send request, take nonce of token, , verify nonce same on server. doing this, should able observe hijacked session since attacker won't have exact counter, or if you'll have 2 systems transmitting same count , can tell 1 forged. won't work applications, 1 way of combating problem.
the difference between session fixation , hijacking how session identifier compromised. in fixation, identifier set value attacker knows before hand. in hijacking it's either guessed or stolen user. otherwise effects of 2 same 1 time identifier compromised.
session id regenerationwhenever regenerate session identifier using session_regenerate_id old session should deleted. happens transparently core session handler. custom session handlers using session_set_save_handler() not , open attack on old session identifiers. create sure if using custom session handler, maintain track of identifier open, , if it's not same 1 save explicitly delete (or change) identifier on old one.
using default session handler, you're fine calling session_regenerate_id(true). remove old session info you. old id no longer valid , cause new session created if attacker (or else matter) tries utilize it. careful custom session handlers though....
if you're going destroy session (on logout example), create sure destroy thoroughly. includes unsetting cookie. using session_destroy:
function destroysession() { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); session_destroy(); } php security session session-cookies
No comments:
Post a Comment