#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2001
    Location
    Westminster, CA USA
    Posts
    52
    Rep Power
    14

    Hijack a session?


    Hello,

    I would like to know how can someone hijack a session? and how to prevent it? Under what applications do devious users do that?
    and can they see all variables in that session?

    Thanks in advance,
    John
    Last edited by johnn; July 31st, 2001 at 05:17 AM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jan 2001
    Location
    In a multi-cultural mess.
    Posts
    569
    Rep Power
    14
    John,

    I use my own sessions code but I suspect this applies to PHP4 "sessions" also.

    If a stranger browses one of my applications, the resulting URL in the browser line,
    will contain a session id such as "?Id=73b237e4d969c39160fd2d6deefde4".

    If that stranger did not 'hit' my application again,
    but instead, immediately emailed the URL to a friend,
    who immediately entered this URL into his browser,
    then my site could not tell the difference between the
    first user and the second user of that session.

    All the session variables are available to the program.
    If the program displays this data, then yes, the hijacker
    can see "all variables in the session".

    -----------------

    To prevent accidental re-entry of form data, I include "the next"
    sequence number in a hidden field when the form is sent to the browser.

    When the form is entered, the sequence number must match what is expected.
    If not, the form is rejected as a duplicate.
    If so, the data is processed.
    "the next" sequence number is incremented.

    This sequence number is carried in the session table so there is
    a unique sequence number for each user.

    -----------------

    To prevent hijacking, I extend "the next" sequence number
    to all input. So input forms carry "the next" in a hidden field;
    other transactions carry "the next" in the url.

    You might want to distinquish between input forms and other transactions.
    For input forms "the next" must be exactly what is expected.
    For other transactions "the next" can be one or two "earlier" than
    expected to accomodate some back button hits.

    Now if a devious user tries to use a "hijacked session id",
    if the real user does a couple of enters, as is normal,
    then the hijacker will be refused.

    Robert
    Robert
    ---
    If it's hard, it's probably wrong.

IMN logo majestic logo threadwatch logo seochat tools logo