RE: Session Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 

> -----Message d'origine-----
> De : olafurw@xxxxxxxxx [mailto:olafurw@xxxxxxxxx] De la part 
> de Ólafur Waage
> Envoyé : lundi 9 avril 2007 14:40
> À : php-general@xxxxxxxxxxxxx
> Objet :  Session Authentication
> 
> Lets say i have a login system. This system authenticates the 
> user via mysql, when the user is authenticated, i set a 
> session variable to let the system know the user is 
> authenticated. ie. $_SESSION["authenticated"] = true;
> 
> Lets also say i know that's how the system works, that a 
> session variable within my browser is set to true. Could i do 
> this if i knew all this info and "authenticate" myself by 
> setting the variable from the client side?

$_SESSION['variables'] are stored server side and can only be set during
script execution, not by the browser.

> If it is possible, what can i do to prevent this or increase security?
> 

What is possible here is called session hijacking, imagine this scenario:

You are an innocent tourist, and go into a cyber café to check your mail,
let's assume when you authenticate to your mail system, it is not encrypted.

The owner of the cyber café is sniffing all incoming, and outgoing data, and
just happened to know that you logged in. 

The SESSION_ID that is stored in a cookie on your computer is what links you
to your authenticated session on the server.

So the owner manages to sniff that SESSION_ID, knowing you are still logged
on, he goes to the same site you are on, and edits the cookie that was
generated by that site, to have the same SESSION_ID as the one he sniffed
over the network.

The owner has now owned/hijacked your session and is authenticated as
yourself. Depending on the logoff mechanism involved he may or maynot be
able to continue using your session when you logoff.


So, to conclude on how to optimize your security, your authentication system
should be encrypted, as in log in using https:// . 

Hope this helps,

P.S You can try this at home by opening your same siteon two different
computers and editing the session cookie on the one your not authenticated
on with the session_id from the one you are authenticated on. It's quite
suprising how it just "logs in" without credentials ;)

Regards,

Tim

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux