Identifying SSL clients

nicktodd8

I have a site that uses PHP sessions through SSL, my employer does not wish the site to require cookies so I have switched on the use_trans_sid option for users who have cookies disabled.

The problem I have is stopping session hijacking.

If I am on a page "https://secure.mysite.com/page.php?PHPSESSID=XXXXX"
And I email the url to someone else they can get onto the site without being challenged for a logon.
I am trying to find a way to check that the connection is still coming from the same SSL connection, e.g. by checking the clients public key, but I can't find a way to get any information about the SSL connection from PHP.
Any help would be appreciated.

lucasrd

Implement a database table that keeps track of session_id, IP, and datetime

then in your authentication module, make a check that validates the user's session with their ip.

You can use what ever validation means you want to, but using a database to distinguish who owns the session is what I would try.

bradgrafelman

What webserver are you using (version too, please!)?

EDIT: A couple of possibilities of you're running Apache.

If you're on Apache2, you could try something like [man]apache_getenv/man and such, to store the client's SSL serial in a flat file OR a database (such as MySQL) for verification purposes. For a list of Apache-related variables to use, see this page.
If you're on Apache 1.x series, you can probalby use mod_rewrite to add the client's serial onto the URL, i.e. rewrite the URL to:

myfile.php?serial=%{SSL_CLIENT_M_SERIAL}

and so on. I'm not an expert at the rewrite module, so who knows.

EDIT2: Forgot to mention - lucasrd's solution, while not as secure, is also a feasible solution.

nicktodd8

I'm on a shared webhost using Apache/1.3.29 with PHP 4.3.10, which is unfortunate as otherwise the apache_getenv solution bradgrafelman posted would have been ideal.

lucasrd's solution would work (although i'm reluctant to use IP address as users coming from a proxy server may have the same IP and users from some hosts [such as AOL] may have IP addresses that change.) but a similar solution such as the one laid out in Chris Shiflett's article here could be implemented, and will probably be what I end up doing. However, I was hoping I might be able to do something more secure since I was connecting via SSL.

I don't know much about MOD rewrite but I'll have a play with it see if I can get anything out of it.

lucasrd

If you're basing it on session, even if their ip changes, it will remain the same for that session, so it should work...

lucasrd

I forget the setting, but you could just hide hte PHPSESSID from the URL....that way their browser would generate a new session for them and they'd have to authenticate.