session hijacking

[anand_ragav]

When a user accesses the administrative site they are issued with the PHPSESSID session cookie. This controls the authenticated state of the user’s session and appears to be solely relied upon for authorisation checks. Once the user has successfully authenticated to the application via the administrative login page they are now authorised to access the administrative resources located on the server.
Consequently, if a valid PHPSESSID cookie value was stolen it can be used to gain authenticated administrative access to the application without the user being required to supply valid authentication credentials.

Can somebody provide me a solution on how to overcome this issue?

Thanks
RA

[Nolongerused3921]

I would be interested in a solution as well. Right now I have a session with the user's IP address set, and checked every page, but this does not always work.

[trq]

If you really need that much security, use https.

[btherl]

Sykoi, in what situations does checking the IP address not work?  When the IP address changes due to proxy servers?

If someone can access your session id, they could probably have accessed your username and password the same way.  Presumably using a network sniffer or by intercepting your traffic at a proxy server.

Like thorpe mentioned, https will largely solve those problems.  Then you only need to worry about attacks on the client and server machines.

[Nolongerused3921]

Actually I was mistaken, I had only set the IP address as a session variable, and after some more research of _SESSION, I think I want to store session ID in a cookie, rather than append it to the URL (This is where I had some problems, if a user pastes a link to someone else, goes to another site (Referrer log), or anything like that - this can potentially be a bad thing).

Can I just use "session.use_only_cookies", or is there an easier method that can be called from inside my script rather than modifying php.ini

As for security concerns - its not a big enough deal to use https, however I would really like to remove SESSID from urls, but not risk session confusion or add too much extra time to the runtime.

[magic2goodil]

some added things you can do are by creating your own security variables that are checked for on each page as well as by checking the browser and things like that to verify that the user is the same user
also the idea of checking for ip addresses is wise as well

[egalp]

You might consider regenerating the session ID on page traversal, keeping the session information, using [url=http://il2.php.net/manual/en/function.session-regenerate-id.php]session_regenerate_id()[/url].
That way even if a specific session ID was hijacked it would be obsolete very quickly.