Thread: Sessions: Insecurity or Mass Confusion
View Single Post
  #4 (permalink)  
Old 12-26-06, 09:20 AM
streety streety is offline
Newbie Coder
  
Join Date: Nov 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by Kobra
ok, this is my problem.
I see some sites being hacked all over and i think its hopeless because sessions are **** insecure!

Then thinking about solution for it leaves a thousand of access problems:

- Verification of ips : Doesnt work for ppl which ip change between hits (They would get an error per second)
- Cookie variable store: Can be hacked easily and user can have it off.
- Verification of user agent: Some users have same user agent.

Is there any way i can know if the person who's trying to access the session is the original user or an hacker? I think its nearly impossible, and if it can work in some situations wont work in others.

Any ideas? Because i dont like the idea that a php site with sessions will end up being hacked sooner or later, is php that insecure? Better change language then.
This is definitely mass confusion.

I'll get to the main meat of your post in a moment but first let me address you final paragraph. Here you suggest that sessions are a vulnerability and that other languages are some how more secure. How do you think sessions are handled in other languages which makes it more secure? Sessions are a vital
part of any web application no matter which language they are created in. No matter which language they are created in sessions are used. The only difference is that php provides a really easy interface to work from while in other languages you need to mess around with cookies and url get variables directly.

The insecurity is caused by http being stateless - no language which is serving web pages can overcome this vulnerability.

Sessions, like so many of the capabilities in php is easy to use which enables a lot of inexperienced users to write code. This code is insecure because they don't understand the potential problems.

Wow, that went on longer than expected.

Now some useful tips:-
- Sessions are based on identifying a visitor in one of two ways; cookies and a variable in a link. The variable in a link can create problems, it can be sent to a friend in an email, posted on a website and anyone clicking on that link could potentially hijack the original users session. This is clearly a problem and I would recommend you not to use this feature - stick to cookies.
- The user agent should not change between requests so you can check - this adds a *little* extra security
- The ip address may change due to a user connecting to your site through a proxy pool. If however their ip address remains the same for several requests you can be fairly sure that they are connecting directly - if their ip address then suddenly changes this should arouse your suspicions
- If sensitive user data is being displayed or modified don't trust sessions and re-verify the password of the user.
__________________
Web Development Blog - Useful bits & pieces
Reply With Quote