#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Michigan, USA
    Posts
    278
    Rep Power
    17

    Session ID Hijackin


    i've spent probably about the last 3 hours reading that topic on security and I am kind of confused. when using sessions and you have that option in the php config enabled to automatically add the session id to the url, is it possible to then use this same session on another computer by simply typing it in in the address bar, or is it more complex than that to hijack it?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Minneapolis, MN
    Posts
    35
    Rep Power
    12
    without any additional security measures, the answer can be yes.
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Michigan, USA
    Posts
    278
    Rep Power
    17
    is the session id in the url already encrypted and if it isnt can it be? and what further measures can be used?
  6. #4
  7. Throws Rocks
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Cincinnati, Ohio
    Posts
    392
    Rep Power
    14
    Now you're getting into key management issues
    Two things have come out of Berkeley, Unix and LSD.
    It is uncertain which caused the other.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Minneapolis, MN
    Posts
    35
    Rep Power
    12
    Originally posted by summercom
    is the session id in the url already encrypted and if it isnt can it be? and what further measures can be used?
    the session id relates to a record on the server. The is no encrypt/decrypt happening between the client and server. For instance on a unix server there would be file in the /tmp (depends on config of php) directory named what ever the session id is and it contains all the session vars that have been assigned.

    PHP sessions handler can do garbage collection on expired sessions. I store my sessions in a DB and cleanup on expired sessions via my own rules.

    The approach I take toward security depends on the task or tasks at hand. Is this a general question or do you have a problem that you trying to solve.

    This is one example and is definitely not the be all in security, it is just one small example.

    If you use cookies first the session id will not be in the url string.
    Second set a cookie on session start of some value that is unique to that user and validate that as well on each page.

    Just an idea to get you thinking.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Minneapolis, MN
    Posts
    35
    Rep Power
    12
    yup!

    Originally posted by GNUbie
    Now you're getting into key management issues
  12. #7
  13. 300lb Bench!
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2001
    Location
    New York
    Posts
    2,350
    Rep Power
    61
    Unless you're encrypting your connection (via ssl) any packets sent to a web server can be sniffed. However, this is a topic that's been covered extensively. Do a search on the word "security" and you'll see what I mean.

IMN logo majestic logo threadwatch logo seochat tools logo