Can you hijack this session via sniffing packets with my method?

vspin

(Revised 5/8/2008 5:00 PM PST)

My method requires javascript enabled browsers.

security.js

window.onload = function() {
  security = new Image();
  security.src = "https://www.myweb.com/RegenerateIdentifier.php?nocache=" + Math.random();
}

RegenerateIdentifier.php

<?php

  //FAST SSL - Regenerate session identifier

  header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
  header("Cache-Control: no-cache");
  header("Pragma: no-cache");

  session_start();
  session_regenerate_id(FALSE);

?>

page.php

<html>

<head>
<title>Web Page</title>
<script type="text/javascript" src="security.js"></script>
</head>

<body>

<h2>Welcome to myWeb.com!</h2><br />

</body>
</html>

Here's the scenario: an Administrator has just logged into the web site. He keeps reloading page.php in his browser through HTTP and later allows his session to expire without logging out. Can you obtain the necessary session identifier to hijack his session via sniffing network packets? If so, how?

I'm trying to come up with an alternative to using SSL entirely. It's still to be determined whether my method actually frees up more CPU resources than just using SSL all together for the following reasons:

Two php page request made, one being through HTTPS
Regenerating session identifier with every request

vspin

(removed)

NogDog

I normally just save the user's IP address in the session data when he logs in. Then as part of the login check on subsequent pages, if the $SERVER['REMOTE_ADDR'] does not match the value saved in $SESSION, the user is required to log in again.

vspin

NogDog wrote:
I normally just save the user's IP address in the session data when he logs in. Then as part of the login check on subsequent pages, if the $SERVER['REMOTE_ADDR'] does not match the value saved in $SESSION, the user is required to log in again.

Yeah, but IP addresses can change with every request. Especially for AOL users behind a proxy. The User Agent string can be used as well, however, again, there are issues for AOL users.

vspin

(removed)

NogDog

Of course, this begs the question: what happens to legitimate users who have JavaScript disabled or otherwise unavailable for some reason?

vspin

NogDog wrote:
Of course, this begs the question: what happens to legitimate users who have JavaScript disabled or otherwise unavailable for some reason?

Well, on login I can detect this and request that they enable it or use a browser that supports it. While possibly misleading, it is estimated that 95% of users have Javascript enabled.

(Script updated on original post)

vspin

I am updating this method, which no longer requires Javascript and is much more reliable!

For this to work, ALL your web pages must look like this:

<?php

//redirect user back to this page if missing www. in the URL (no http://myweb.com) here.

$randomcode = ; //generate random code here

?>

<html>
<head>
<title>Web Page</title>
</head>
<body>

<img src="http://myweb.com/images/logo.gif" border="0" />

<div id="ssl" style="display: none;"><img src="https://www.myweb.com/RegenerateIdentifier.php?nocache=<?php echo $randomcode ?>" /></div>
<h2>Welcome to myWeb.com!</h2>
</body>
</html>

Your web page URLs must include the www. (e.g. http://www.yourweb.com/page.php).

The next important thing is all other non web page files, such as JS, CSS, DOC, ZIP, GIF, JPG, etc. must have a URL without the www. (e.g. http://yourweb.com/images/logo.gif).

The reason for this is because PHP creates different session identifiers for both URLs. This prevents non web page requests intercepting important data. Alternatively, you can create a sub domain (http://upload.yourweb.com/images/logo.gif).

RegenerateIdentifier.php

<?php

  //FAST SSL - Regenerate session identifier

  header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
  header("Cache-Control: no-cache");
  header("Pragma: no-cache");

  session_start();
  session_regenerate_id(FALSE);

?>