56 lines
2.9 KiB
Markdown
56 lines
2.9 KiB
Markdown
|
---
|
||
|
|
title: Session Identifier Acquirement
|
||
|
|
---
|
||
|
|
## Session Identifier Acquirement
|
||
|
|
|
||
|
|
Session Identifier Acquirement is a vulnerability caused by an attacker being able to either guess the session identifier of a user or exploit vulnerabilities in the application itself or the user's browser to obtain a session identifier. This attack is a prerequisite to performing a session hijacking attack.
|
||
|
|
|
||
|
|
### Example
|
||
|
|
An attacker has a few options to perform a session identifier acquirement attack.
|
||
|
|
* Guessing the Identifier: A short and guessable session identifier could allow an attacker to brute-force the ID of a session and get in.
|
||
|
|
* Attacking the Browser: In the event you store your session identifier in the browser's cookies - if your website is vulnerable to cross site scripting an attacker could use the vulnerability to collect session identifier cookies and access high privilege level areas (for example an admin panel).
|
||
|
|
* Changing the ID to the attacker's choice: In older versions of PHP you were able to set the ID of a session in the URL. It's disabled by default now, if in doubt make sure `session.use_trans_sid` is false. This is not a common issue anymore, however it can still happen, better safe than sorry.
|
||
|
|
|
||
|
|
|
||
|
|
### Defending against Session Identifier Acquirement attacks in PHP
|
||
|
|
To defend against Session Identifier Acquirement attacks you need to check the attempted session access against several factors to confirm whether it's a legitimate access and to avoid the user from successfully hijacking the user's session. Below is an example implementation that can help mitigate the effects of a session identifier acquirement attack. It checks the IP Address, User Agent, and if the Session Expired removing a session before it's acquired.
|
||
|
|
```PHP
|
||
|
|
<?php
|
||
|
|
session_start();
|
||
|
|
|
||
|
|
// Does IP Address match?
|
||
|
|
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['ipaddress'])
|
||
|
|
{
|
||
|
|
session_unset();
|
||
|
|
session_destroy();
|
||
|
|
}
|
||
|
|
|
||
|
|
// Does user agent match?
|
||
|
|
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['useragent'])
|
||
|
|
{
|
||
|
|
session_unset();
|
||
|
|
session_destroy();
|
||
|
|
}
|
||
|
|
|
||
|
|
// Is the last access over an hour ago?
|
||
|
|
if (time() > ($_SESSION['lastaccess'] + 3600))
|
||
|
|
{
|
||
|
|
session_unset();
|
||
|
|
session_destroy();
|
||
|
|
}
|
||
|
|
else
|
||
|
|
{
|
||
|
|
$_SESSION['lastaccess'] = time();
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
**Tips:**
|
||
|
|
* Store lots of information about the current session (User Agent String, IP Address, Last Access Time, etc)
|
||
|
|
* Check every request against information stored about the session (Does it match? If not delete the session and require the user to login again )
|
||
|
|
* Sessions shouldn't last forever - they should expire at a certain point to maintain session security.
|
||
|
|
* Rate limit the amount of sessions a user can try to access (did a user try to access 1000+ invalid sessions? Chances are they are guessing - prevent the IP address from trying any more sessions for a few hours).
|
||
|
|
|
||
|
|
|
||
|
|
#### More Information:
|
||
|
|
* <a href="https://secure.php.net/manual/en/session.security.php">php.net session security manual</a>
|