Can php session be hacked?
|
So everyone says that sessions have security risks, I want to know what kind of risks are these? What can hackers do with sessions? Show This is not about knowing how to avoid attacks, I want to know how hackers are doing it, and what are they doing. I talk about
asked Jul 11, 2010 at 19:07
Adam HalaszAdam Halasz 55.9k63 gold badges146 silver badges212 bronze badges The answer by sAc is very good. However, don't rule out "sessions" because of this. I've successfully deployed custom sessions which, among other things, fixes hijacking, password reversal (md5/rainbow) and (if used correctly) session fixation. By "successfully deployed" I mean passing penetration testing and (of course) actually being better than the traditional. There is no "secret" or obscure security; basically, it generates a random (and database-wise unique) number (actually, a guid in my case) per user account and stores the guid+username as the normal method (instead of username+hashed/salted password). Next, it binds this guid with the user's ip address. Not infallible, but using a guid and per-ip already is an improvement over the current session system. Of course, there are flaws which open up after specific targeting (such as ip spoofing+the hijacked guid and username). But in general, it's a way better alternative. answered Jul 11, 2010 at 19:23
ChristianChristian 26.9k15 gold badges108 silver badges153 bronze badges The biggest risk is if IPs aren't associated with a session, and session IDs are accepted without verifying they come from the IP that started them (or at least an IP in the same subnet). This allows someone to send a link to an already-started session, where the unwitting dupe might need to log in. Upon doing so, the SESSION is considered logged in -- and the hacker that sent the link (who already has the session ID) has access to our rube's account. Or it could happen the other way around, where the user's already logged in and doesn't have cookies enabled, so a PHPSESSID value is stored in every link. If the user pastes a link to someone, they're also effectively pasting their access to the site. In order to prevent this, a decent site will avoid starting a session til there's something to store in it, and keep track of what IP the session was intended for. And to exploit it, an attacker will look for a site that sends a PHPSESSID query string value in each link from the home page, or sends a similarly named cookie on the index page. answered Jul 11, 2010 at 19:15
cHaocHao 83.1k20 gold badges145 silver badges171 bronze badges 7 PHP Sessions use session identifiers, and haxxors can try all possible identifiers with a small change they got a valid one. Also, these identifiers are stored in cookies and can be intercepted. A third possibility is that PHP can be buggy and create two sessions with the same identifier. Also, session data is stored in files on the disk, which is unsecured. Instead, databases need a password. It is actually not possible to prevent the first two reasons, but the third and forth ones can be. For example, store your session data in a database. answered Jul 11, 2010 at 19:11 3 When I first started thinking about protecting against xss and practicing with the wget cookie features I considered things along this route. 1) Store a session cookie, but marry it with another id string which is passed in the link (not related to sess id) which is stored in the db along with the sess id, this pair then needs to marry to access. 2) Check the sess id to the browser agent, because even if the ip changes dynamically, the browser won't. 3) Use a cookie to store similar to 1, and if ip changes then challenge the cookie. x) The extra string should probably be made up of the agent, sess id, user name (and maybe ip (if extra logout req)), and then either be a hash or (probably a waste of time) encrypted. y) For non SSL login I converted some RSA code to JS and mixed with it's PHP counterpart works quite well for a simple public key system, see here (as you can see it is slightly limited) Are PHP sessions secure?“Is a PHP session secure? PHP sessions are only as secure as your application makes them. PHP sessions will allow the client a pseudorandom string (“session ID”) for them to distinguish themselves with, but on the off chance that the string is intercepted by an attacker, the aggressor can imagine to be that client.
Can PHP session be manipulated?A user cannot modify PHP sessions on the server. They can only forge a legitimate cookie and masquerade as a logged-in user - but that will require them to steal a valid cookie in the first place.
Can session be hacked?After a user starts a session such as logging into a banking website, an attacker can hijack it. In order to hijack a session, the attacker needs to have substantial knowledge of the user's cookie session. Although any session can be hacked, it is more common in browser sessions on web applications.
Can a hacker change session variables?If your question is "can a user modify the data stored in the session", the answer is no. The session is stored in the server, and its content is not sent to the client.
|
