Prevention Session Hijacking

Asked

Viewed 751 times

5

I know that to prevent this type of attack we must use session_regenerate_id(), mainly before logging in. My question is whether to delete the previous session by passing a true as parameter? I understand that it would be best to delete the previous session, but all the examples I see do not. Which would be correct, the safer?

  • See this answer, http://stackoverflow.com/a/6483097/587811

1 answer

6


First of all I want to say that in safety the problem is never final. That said and without talking about other topics related to the sessions and responding to the specific case of Session Hijacking, say the following:

  1. the session_regenerated_id() for ease of use or maintenance, it should be done after the correct validation of credentials. However I have seen applications where this is done every 30 minutes and in extreme cases what I consider a paranoia each request. Login for most projects... is enough! Does not solve but makes difficult!

  2. Before the session_regenerated_id() it is mandatory to call session_destroy() and why not the session_unset()... which clearly answers the question.

  3. Using some fields in the session to validate the connection is also important, for example the HTTP_USER_AGENT or others. Also susceptible to manipulation but again... Does not solve but makes difficult!

  4. If session hijacking is a problem and depending on the project SSL responds to this problem. Again it does not solve totally because there are those who claim to be able to "turn around" https but... It makes it difficult and very.

  5. Very useful also a mechanism of TOKEN saved in session for each request followed by policies for process authorisations.

Finally the list does not end because the solutions may be many and there were a few more, however a study on the subject and the constant monitoring of the follow-up on the applied process is also an excellent complement to the solution.

In the applications I create I always make available to the user a page where it can observe the open and active sessions and the expired ones... which makes the user more informed and worried, minimizing the problem.

Also say that PHP sessions are files stored on the server and this can cause some entropy to the server depending on the number of accesses making it vulnerable to other types of attacks, but it depends of course on the type of project.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.