July 31st, 2001, 12:17 PM
Join Date: Jan 2001
Location: In a multi-cultural mess.
Time spent in forums: 1 h 59 m 30 sec
Reputation Power: 13
I use my own sessions code but I suspect this applies to PHP4 "sessions" also.
If a stranger browses one of my applications, the resulting URL in the browser line,
will contain a session id such as "?Id=73b237e4d969c39160fd2d6deefde4".
If that stranger did not 'hit' my application again,
but instead, immediately emailed the URL to a friend,
who immediately entered this URL into his browser,
then my site could not tell the difference between the
first user and the second user of that session.
All the session variables are available to the program.
If the program displays this data, then yes, the hijacker
can see "all variables in the session".
To prevent accidental re-entry of form data, I include "the next"
sequence number in a hidden field when the form is sent to the browser.
When the form is entered, the sequence number must match what is expected.
If not, the form is rejected as a duplicate.
If so, the data is processed.
"the next" sequence number is incremented.
This sequence number is carried in the session table so there is
a unique sequence number for each user.
To prevent hijacking, I extend "the next" sequence number
to all input. So input forms carry "the next" in a hidden field;
other transactions carry "the next" in the url.
You might want to distinquish between input forms and other transactions.
For input forms "the next" must be exactly what is expected.
For other transactions "the next" can be one or two "earlier" than
expected to accomodate some back button hits.
Now if a devious user tries to use a "hijacked session id",
if the real user does a couple of enters, as is normal,
then the hijacker will be refused.
If it's hard, it's probably wrong.