Recommended:

  • phpclasses.org
  • jsclasses.org
  • jsmag.com
  • siteapps.com
  • View our reviews on Hot Scripts
  • JS Tutorial
  • scripts.com
  • securesignup.com




Recent Comments

Powered by Disqus




Back to articles

Session security - fixation and hijacking

There are couple things you need to keep in mind, when dealing with sessions. Of course you can store session data in database with your own identifiers and prevent it from being hijacked. But if you choose to use $_SESSION variables, then first thing to keep in mind, that all sessions are saved in files in plain text, so it is possible to view them with simple PHP script. So always encrypt all sensitive data before storing in sessions, for example using md5() function. Like: 

<?php
$_SESSION['password'] = md5($password);
?>

Second thing is the possibility of session fixation. If you login using link with ?PHPSESSID=12345 attached to it, and someone else goes to this link, he will automatically get your session data - thus will login to your account. Users might be tricked and get their accounts hacked. To prevent it - you can regenerate session id after users logs in like that:

<?php
if (//checking users password etc to log in)
{
    session_regenerate_id();
    $_SESSION['loggedin'] = true;
}
?>

Also to make it even more complicating to hijack it, you can store some user data in session and check it every time, so if user changed IP address or browser, he will be automatically logged out. To do it, put his code in the beginning of your page:

<?php
if(!isset($_SESSION['secure']))
{
    $_SESSION['secure'] = md5($_SERVER['REMOTE_ADDR'].
                              $_SERVER['HTTP_USER_AGENT'].
                              "some text");
}
else if($_SESSION['secure']!= md5($_SERVER['REMOTE_ADDR'].
                                  $_SERVER['HTTP_USER_AGENT'].
                                  "some text"))
{
    session_destroy();
    echo "<p>Session hijack attempt</p>";
}
?>

You may also be interested in:

Powered by BlogAlike.com

blog comments powered by Disqus