Stopping stolen/spoofed/linked sessions

Anon

[Please copy replies off-list.]

I want to use PHP4 sessions for authentication, but I'm having difficulty understanding how to get around users spoofing, stealing or linking sessions. Here's an example: Alice sends Bob a link from a site she's logged into. Alice has cookies turned off in her browser, so the session id will be in the URL she sends Bob. Eve intercepts the message, follows the link and now she can take over Alice's session, and any data that is associated with that session. For that matter, Bob can do the same thing.

I can think of lots of ways around this, but most of them are kludges that don't really cut it. I can store a second authentication value in a cookie, but that would require cookies, which isn't acceptable. I could propogate a second authentication variable in the URL, but that's a lot of hassle and defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if the user came from my own site, but that can be spoofed. I can log and check the users IP address, but that can't be relied upon.

Is there any reliable way around this? Am I missing something obvious?

Cheers,
adam

neuromancer

Store unique information in the session (REMOTE_ADDR ?) and compare it before doing anything else, if its incorrect drop the session and redirect the user to a login page (both the real and spoofing user will be dropped)

Anon

Store unique information in the session
(REMOTE_ADDR ?) and compare it before
doing anything else, if its incorrect drop
the session and redirect the user to a
login page (both the real and spoofing
user will be dropped)

Like I said, the users IP address can't be relied upon. Services like WebTV often assign different IP addresses on different requests. Proxies will screw up some users. And all other environment variables can be spoofed.

Sorry, but I'm still in the dark. How do the big websites do it? Hotmail does it by insisting on cookies, but I don't want to do that, it's not fair to users who want to browse without cookies. Is there really a foolproof answer to this question I wonder?

adam

neuromancer

With some creative checksum work you can solve that problem, long as the secure user clicks at least one more link in your site after sending the link to someone else

Anon

I'm not an expert here, but a session stores registered variables in the sessionfile on the server.
When they log in, register some kind of second checksum in the session file. If someone spoofs the session id into the url, you can still check for the second checksum - the user has never been exposed to this at any point, it goes direct from php script to file and is only used by the php engine.
If the session has expired, the registered variable won't be there (the spoof session id will make the engine create a new session file).
Like I said, i'm pretty green here - does this make sense?

Anon

No offense intended, but no. To create a second identifying variable in the session, you need an identifier from the user. But there's no other reliable identifier there. I guess I'll just have to rely on a multi-level solution, or insist on cookies.

Cheers,
adam