Fixation attack protection

reddrum

Hi All,
I have been working on a session security function that can be called on every page load or intermittently. It starts a new session, checks for attacks or sets a new session id. It could be also used to save the remote address of the attacker.
Please let me know if you think this is a good approach.
Thanks!

   function chk_session(){
      $name = session_name();
      session_start('$name');
      if (!isset($_SESSION['login_ok'])){ //New session.
         $_SESSION['login_ok'] = 1;
         $_SESSION['old_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
         $_SESSION['old_remote_addr'] = $_SERVER['REMOTE_ADDR'];
         return 1;
      }
      else{
         if ($_SESSION['old_user_agent'] != $_SERVER['HTTP_USER_AGENT']
            || $_SESSION['old_remote_addr'] != $_SERVER['REMOTE_ADDR']){

        $_SESSION = array();
        session_destroy();     //Fixation attack, more than one computer with same session id.
        return 2;
     }
     else{
        session_regenerate_id(); //Get new session id for fixation attack protection
        return 3;
     }
  }
   }

Horizon88

session_start('$name');

I've not worked with named sessions before - shouldn't that either be:
session_start($name);
or
session_start("$name"); ?

It took me a minute to grasp what the purpose of this is for, but if I understand correctly, you're trying to prevent people from hijacking sessions - is it to prevent your visitors from being victims of session attacks (someone on their network sniffing packets and stealing the session)? If so, then it looks like it would work to me. I've never done any session hijacking though. The only issue I can think of would be users running behind something like a TOR proxy where each visit changes the IP address.

laserlight

is it to prevent your visitors from being victims of session attacks (someone on their network sniffing packets and stealing the session)?

No, it is to prevent someone from using "social engineering" to set the session id of a naive user.

reddrum

Hi Horizon88,
You are correct I don’t need the single quotes ”session_start('$name');”. I am new to sessions and decided to explore the use of them to replace my method of posting hidden form data form page to page, to validate the user. I don’t need super security, I just want to make sure that sessions will be at least as secure as hidden form data.
Thanks for your comments!

rulian

also:
($SESSION['old_user_agent'] != $SERVER['HTTP_USER_AGENT']
|| $SESSION['old_remote_addr'] != $SERVER['REMOTE_ADDR']){

you are setting not comparing, not sure if that is what you wanted.

I'm not quite sure how this would work so I'm curious as to what it's purpose is.
I see you are capturing user agents and storing them in sessions and comparing the two. Which would be useful if let's say someone logged out or had their time expire on a session, i would think, but making sure you destroy your session on loggout or expiration is probably the safest bet. Sessions are created for each user on the server, I think if a user can gain access to the server's cache you have a bigger security breach then a user sessions.

As far as remote access, i dont see anything that woudl enable the server to compare id's on 2 different machines, since you arent storing them in a db of any kind.

Weedpacket

rulian wrote:
($SESSION['old_user_agent'] != $SERVER['HTTP_USER_AGENT']
|| $SESSION['old_remote_addr'] != $SERVER['REMOTE_ADDR']){

you are setting not comparing, not sure if that is what you wanted.

No, != is a comparison operator.

Which would be useful if let's say someone logged out or had their time expire on a session, i would think,

Or if someone else had obtained the session ID (from the client) and was trying to use it from another address/user-agent, or if the attacker had obtained a session ID "legitimately" and was trying to con someone else into using it as well - the sort of thing this code is intended to help defend against.

rulian

I thought
$string != "blah" returns false if string could not be set to blah
but
$string !== "blah" return false if string is not set to blah

NogDog

!= is the "not equal" comparison operator.
!== is the "not identical" comparison operator.

Both do a comparison, but the second returns true if the two values are not equal OR if the types are not the same, whereas the first is only concerned with the value.

0 != false   --> returns false
0 !== false  --> returns true (not the same type)

0 == ""   --> returns true
0 === ""  --> returns false (not the same type)

See http://www.php.net/manual/en/language.operators.comparison.php for more info.

Weedpacket

rulian wrote:
$string != "blah" returns false if string could not be set to blah

The question then would be under what circumstances could "$string = 'blah';" fail...