Jump to content

protect against session hijacking?

android6011

By android6011
in PHP Coding Help

 Share

Recommended Posts

BlueSkyIS Newbie

BlueSkyIS

Posted
Posted

i have never worried about it. sessions expire, so someone would have to access your browser after you left the session open (didn't log out). But then you're not logged out anyway, so what's the point of taking the cookie?? the user is already in because you didn't log out. the fact that the session cookie still exists is irrelevant, ime.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If the account is important enough, you should only allow access to it using https. The session cookie would only be sent through an encrypted connection and monitoring the data packets would have no effect.

 

If you can't or don't want to use https, then you should check that the 'REMOTE_ADDR' and the 'HTTP_USER_AGENT' don't change during the session. Someone getting the session id and attempting to visit your site from a different IP than the IP that started the session would indicate an attempt to hijack a session. This would still allow two people using the same IP address to access the session, such as those behind the same router or going through the same proxy. If the guy in the next cubical over, on the same local network, is the one doing the data monitoring, his connection to a site would look identical to the original visitor's, which is why https should be used when you want to be sure.

discomatt Member

discomatt

Posted
Posted

Many dial up users experience an IP change on a per-request basis at times. Using an IP to validate a session can leave some of your users high and dry.

 

Packet sniffing is not an easy task for the most part... unless you have something worth stealing, I really wouldn't be concerned about it. If you do though, SSL certs are fairly cheap for the protection they give :)

 

Most crackers will try to find an easier route to your data

discomatt Member

discomatt

Posted
Posted

All of those examples rely on social engineering... and sadly, it really doesn't matter how secure your script is if your key holders lend them out.

 

The best protection here is to not give your random myspace buddy admin access to your script :)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.