Tutorials PHP Session Hijacking

Session Hijacking

In my previous cookie and session tutorial, I explained that they were not secure in their basic state. Hackers love to take control of your security sessions. So what can we do to increase security? There are 3 common methods hackers use to steal sessions: prediction, fixation and capture.

Sessions 101

Before I get into what session hacking is and how to stop it, lets get some basics down on how sessions work. Whenever you start a session, a session id is assigned to your browser. The actual session data is stored on the server. Your browser produces the session id and the server gives them the data. It's like a bank; you show your id and they give you access to your money.

What is session prediction?

Prediction is when hackers try to guess a session id. It could be educated guessing or completely random. The session id is randomized by default so it's unlikely to be guessed easily. This method is very rare and is unlikely to be your weakest point. Sometimes you just get someone's password through a lucky guess.

What is session fixation?

This happens when the user visits a hacker's site before coming to yours. The hacker injects a session id through the URL or cookie into the user's browser browser and sends them to your site. The user doesn't notice anything wrong and logs in. Afterwards, the hacker uses the same method to add the session id to their own browser and comes to your site. You see that they have the same id and you give them access to the user's session data.

To put it simply, hackers give users a fake id to do legitimate things and then piggybacks off their ride. It's like a bank; the hackers give you a fake id and you use it to deposit money and the hackers use the same id after you to withdraw.

How do you stop session fixation?

You can reset their session id. This will give the user a new id and discards anything related with any old ones.


What is session capture?

Session capture is when the user visits your site then the hacker gets them. Basically, hackers rip the session id from the user's browser. There are several ways to do this such as XSS injections, man-in-the-middle, or just getting physical access to the computer. You can use SSL to protect against man-in-the-middle attacks but it falls to the browser to protect against everything else. You can add more security like checking if they have the same browser and/or IP address but that information can be easily faked, so there is no foolproof method of preventing session hijacking. In the end, you have to trust the user to not do anything stupid.

Session through URLs

The only way to pass sessions is through URLs or cookies. A big problem with passing through the URL is that it is very vulnerable. Anybody with access to the user's computer will be able to see it in the browser's history. The user could also copy and paste the whole URL to their email or SMS. If you have access to your php.ini file, find the line that says session.use_only_cookies and set it to 1 to make sure session id through URLs are invalid.

That's all for today's tutorial. Remember to regenerate_session_id before any change in security, like logging in. If you are serious about security, you should also add SSL to prevent sniffing.

Posted by on . Category: PHP


No comments posted yet

You need to register or login to post new comments.