Prevent users stealing session

adrotheman

Hi,

I have been discussing session stealing with another programmer and ways it can be avoided. By session stealing i mean getting a hold of someone elses active session id and using to access a site.

We have been discussing numerous ways to prevent people stealing other users session including not passing the session in address strings which would obviously be negated if a user has cookies disabled because --enable-trans-sid would mean the session id would automatically be added to the address.

After a lengthy discussion, the only realistic solution we could find was to include the active users ip address as a session variable. We would then include a function as part of our auth check on every page that compares the ip address of the user requesting the page against the ip address we have stored in their session.

Now my question is, can anyone see a flaw in this concept or maybe a better solution that would satisfy our security conscious clients?

AstroTeg

I hope there's no flaw with that! 🙂

I've setup something similar with a more recent site I'm building.

I've encoded the IP address (md5 + seed string). I store the IP and the email address of the user in a session. I should probably encode/encrypt the email to make it more difficult to tweak (system only accepts unique email addresses).

For each page call, I check the encoded session "id" with the remote IP. I store the encoded IP as "id" in hopes some sucker tries fiddling with it.

I'd guess there's 10 different ways to do this. I'm not 100% sold this way is the way to go, but I think its going to provide the level of tamper proofing I need for this particular app.

swr

There is a "session.use_only_cookies" configuration option you can use to disable the session ID in links.

Checking by IP is not so good, as users may be behind a proxy or NAT server which causes them all to share a pool of IP addresses. Not only can you not be certain that a connection from the same IP address is from the same user, you can't be certain that a connection from the same user will be from the same IP addresses (although the latter situation is less common; most users go through a single proxy, or are NATed through a single routable IP).

Aside from session stealing, there is also session fixation. The fix for that is to give the user a new session ID (discarding the old one) as soon as they log in. Google for "session fixation" for more info.

AstroTeg

Originally posted by swr

Checking by IP is not so good, as users may be behind a proxy or NAT server which causes them all to share a pool of IP addresses.

The idea behind the IP address is to help bind it to a particular browser session and as this article describes helps with session fixation (its not a cure all, but helps):

http://archives.neohapsis.com/archives/sf/www-mobile/2003-q1/0330.html

icaro

if i was this paranoid, i would use https

Xoid

instead of using the IP address, couldn't you use something like:

$session_code = md5(uniqid(mt_rand(),true));

Weedpacket

Originally posted by icaro
if i was this paranoid, i would use https

After all, if someone is going to be eavesdropping on the other person's connection (or, worse, yours) then they're not going to be limited to just hoping for a session ID to go flying past.

planetsim

Originally posted by adrotheman

Now my question is, can anyone see a flaw in this concept or maybe a better solution that would satisfy our security conscious clients?

As a matter of fact there is a flaw as swr pointed out, but also users can be behind Proxies. More than likely not, but its quite a possibility.

HTTPS/SSL is a bit too far fetched, im assuming this is a simple Members Section which requires the best security possible without going as far as that.

Usually when i do sessions its mainly

md5(uniqid(mktime())); But more recently have been adding encrypted username when logged in. Havent added IP address and if i did it would be encrypted also for user privacy.

AstroTeg

Originally posted by Xoid
instead of using the IP address, couldn't you use something like:

$session_code = md5(uniqid(mt_rand(),true));

By using the IP address, you can bind the session to a machine (again, its not perfect because of proxies, but anything helps).

So with the IP in the session, you can look at the session's IP address that's stored and compare it to the remote IP address coming in (again, another weak link would be if someone does IP spoofing - but they'd need to know the IP of the machine they're going to snatch the session from). If the session IP and the remote IP don't match, then its likely someone snatched it.

I think if someone is packet sniffing, you're pretty much stuck anyways unless you are using SSL.

AstroTeg

Originally posted by planetsim
As a matter of fact there is a flaw as swr pointed out, but also users can be behind Proxies. More than likely not, but its quite a possibility.

See my post after SWR. If the IP is used in conjunction with the session ID, you can get session binding. Its not bullet proof, but slightly better than just the session itself.

Originally posted by planetsim

Usually when i do sessions its mainly md5(uniqid(mktime())); But more recently have been adding encrypted username when logged in...

Question: Is this data you're sending to the client (via cookies?) or data you're storing IN the session?

swr

Originally posted by AstroTeg
If the IP is used in conjunction with the session ID, you can get session binding.

Usually, but not always. There is no guarantee that the user will connect from the same IP address they came from one click ago, even if the previous click was only a fraction of a second ago. Consider a user behind load balanced proxy servers each with different IP, or a NAT server that translates internal connections to a block of routable addresses (instead of a single address like typical home routers do). In those cases the user will come from several different IPs during a normal browsing session. Those are not very common cases but they do occur.

yousaf931

This is going to be a nice thread so far gave me alot of information the Php Greeks should continue this thread to add more issues in it regarding session handleing.

capbiker

I am using sessions for my website of which I am coding up in PHP and one of the things I have done with my own sessions is to create my own by using a mysql table to store the information in.

As it as been coded up so that the basic information, user id, time they last accessed a page and even what page they are on. A few other bits too to help me to keep track of it.

But doing it that way you would have more of a secuirty as if a user hijacks a session all that happens is that the information in the table just gets updated with there information only.

But the only problem with any type of session you will need to store somewhere a username and password and if you have got the other persons you cannot easily stop they hijacking the other person's account.