tamumech Posted July 5, 2007 Share Posted July 5, 2007 Hi all, I am creating a login script that will use sessions. Since I am not dealing with very personal information or financial data, I think it is something a beginner (sort of) like myself can do. To prevent session hijacking I understand I should use a token with the session identifier. According to Chris Shiflett here http://shiflett.org/articles/session-hijacking , I should propagate the token differently then I do the session identifier. He recommends "propagating the session identifier as a cookie and the token as GET data". Can anyone explain to me how this might be done? What if the user has cookies turned off? Quote Link to comment Share on other sites More sharing options...
stoker Posted July 5, 2007 Share Posted July 5, 2007 If cookies are turned off you must keep session ID in the url, or you can simply show some text explaining that cookies are required. This isnt a complete answer, rather a little trick to accomplish page load to page load verification. -Create a session - which the user keeps for the duration of the visit or whatever -For each page load, generate a new random value verification key, store it in the session data and use it in get or post requests to validate that the next page load comes from the same user. The drawback to this is that the browsers backbutton cant be used, as that would request a page which was using an old key.. I have used this method on checkout systems in multiple places, the main thing is that this session must always require a key, so if you are going from a cart to a checkout process, create a new session just for this purpose and always validate the key.. Quote Link to comment Share on other sites More sharing options...
Hypnos Posted July 5, 2007 Share Posted July 5, 2007 You can't get much done online anymore with cookies turned off. Most login sites require cookies enabled. I personally would be worried about someone watching the traffic, and grabbing the session id. Especially with visitors using open wireless networks. Using the user agent string like Chris shows does help with obvious attempts. However, if the attacker got your session id/get var by watching your traffic, they also have your user agent string. Adding that to the mix of request isn't hard, but does require that extra step. I say first look at SSL as an option. That will stop anyone watching the traffic from seeing anything about your client's requests. Quote Link to comment Share on other sites More sharing options...
tamumech Posted July 5, 2007 Author Share Posted July 5, 2007 stoker- Would I just put the POST and GET data in a form to transfer it from page to page? Or is there another way? Why would I pass it in the URL if I can use POST? ie: <?php <form action = "$_SERVER['PHP_SELF']" method = "GET"> <input type = "hidden" value = "$_GET['key']"> </form> ?> Hypnos- Do you recommend a place to get SSL? Is the open source any good? Thanks for all your help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.