On Wed, Feb 19, 2014 at 11:22 AM, Vernon Nemitz <vnemitz@xxxxxxxx> wrote:
> On Wed, 19 Feb 2014 10:04:53 -0500, Aziz Saleh wrote
> > On Tue, Feb 18, 2014 at 9:07 PM, Vernon Nemitz <vnemitz@xxxxxxxx> wrote:
> > >
> > > By the way, one of the other messages I've received in response
> > > to my original question concerned a php.ini file setting,
> > > session.use_strict_mode
> > > (available PHP 5.5.2+) which appears to at least do the ignoring
> > > thing, if a browser sends session data to the Server which does
> > > not happen to match an existing session-data-file. Good show!
> > >
> > > vernnoner3voltazim
> > > Vernon Nemitz
> > >
> >
> > Glad you sorted it out. However, I don't think you understood
> > what I meant. My original thought is that you were worried
> > about session hijacking (someone finding out the session id
> > a user uses, example and admin) and going into your site and
> > plugin that ID into the URL (or cookie by default) to take
> > control over that session, basically login in by the session
> > id. What I do prevents that from happening by associating the
> > session id to not just any user, but to that specific user
> > that logged in.
>
> I do understand the idea, but not the implementation as you
> have so far described it. If the user has to keep identifying
> self to the web server, then that is data that the bad guy
> could obtain as easily as the session ID. However, it occurs
> to me that the IP address of the user, and that of the bad
> guy, should always be different. So, if the IP address was
> saved in association with the session ID, the server could
> check for a matching IP address each time a request reached
> it, that began identifying itself with a session ID.
>
> vernonner3voltazim
> Vernon Nemitz
>
Think about the implementation this way:
function getUserSalt(){ return isset(COOKIE[salt]) ? COOKIE[salt] :
makeSalt()}
function getUniqueKey(){ return ip + user agent + salt + (other unique
factors, add as many as you want)}
function getUserSession(){
set key = getUniqueKey(), set session id = SESSION_ID (from url or
cookie)
check DB for corresponding row with those two params, if user exists,
use the corresponding user id with that session, else destroy the session
}
The only way a user can hijack someone's session is if they have the cookie
value salt + cookie/url value session_id + ip + user agent, which I
personally think is far fetched.
Aziz
