[nycphp-talk] Session security: protecting against hijackingattempts POSSIBLE SOLUTION
Hans Zaunere
hans at nyphp.com
Wed Dec 22 20:30:18 EST 2004
> After thinking hard about what's involved with session hijacking, one
> thing seemed to be the lynchpin in attacks, the session id. If an
> attacker knows the session id, he can hijack the victim's session.
>
> So my thought was to change the session id with every request. This
> way, the session is only good for a very short time. It also does a
> very adequate job of protecting against session fixation attacks
> (http://www.acros.si/papers/session_fixation.pdf) because once the
> attackers session is used to gain permissions, it becomes an invalid
> id.
I did something like this using sequenced sessions. It's basically the
same idea as the sequence numbers TCP uses (SYN/ACK). See attached; it
works pretty well and I've used it in a couple of sites. Easy to use
and won't reuse the same session id more than once, making it easy to
detect if a hi-jack has occurred, and hard to perform a hi-jack to begin
with. For high traffic environments, it could use a couple of
improvements.
---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pas.ss.php
Type: application/octet-stream
Size: 2277 bytes
Desc: pas.ss.php
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20041222/c7a69ba6/attachment.obj>
More information about the talk
mailing list