gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
1c863eb91ff15c69fb65d9d5f2ee6ebe23713cb2
freeCodeCamp/guide/english/php/security/session-identifier-acquirement/index.md
Mrugesh Mohapatra da0df12ab7 fix(guide): simplify directory structure
2018-10-16 21:32:40 +05:30

56 lines
2.9 KiB
Markdown
Raw Blame History

---
title: Session Identifier Acquirement
---
## Session Identifier Acquirement
Session Identifier Acquirement is a vulnerability caused by an attacker being able to either guess the session identifier of a user or exploit vulnerabilities in the application itself or the user's browser to obtain a session identifier. This attack is a prerequisite to performing a session hijacking attack.
### Example
An attacker has a few options to perform a session identifier acquirement attack.
* Guessing the Identifier: A short and guessable session identifier could allow an attacker to brute-force the ID of a session and get in.
* Attacking the Browser: In the event you store your session identifier in the browser's cookies - if your website is vulnerable to cross site scripting an attacker could use the vulnerability to collect session identifier cookies and access high privilege level areas (for example an admin panel).
* Changing the ID to the attacker's choice: In older versions of PHP you were able to set the ID of a session in the URL. It's disabled by default now, if in doubt make sure `session.use_trans_sid` is false. This is not a common issue anymore, however it can still happen, better safe than sorry.
### Defending against Session Identifier Acquirement attacks in PHP
To defend against Session Identifier Acquirement attacks you need to check the attempted session access against several factors to confirm whether it's a legitimate access and to avoid the user from successfully hijacking the user's session. Below is an example implementation that can help mitigate the effects of a session identifier acquirement attack. It checks the IP Address, User Agent, and if the Session Expired removing a session before it's acquired.
```PHP
<?php
session_start();
// Does IP Address match?
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['ipaddress'])
{
session_unset();
session_destroy();
}
// Does user agent match?
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['useragent'])
{
session_unset();
session_destroy();
}
// Is the last access over an hour ago?
if (time() > ($_SESSION['lastaccess'] + 3600))
{
session_unset();
session_destroy();
}
else
{
$_SESSION['lastaccess'] = time();
}
```
**Tips:**
* Store lots of information about the current session (User Agent String, IP Address, Last Access Time, etc)
* Check every request against information stored about the session (Does it match? If not delete the session and require the user to login again )
* Sessions shouldn't last forever - they should expire at a certain point to maintain session security.
* Rate limit the amount of sessions a user can try to access (did a user try to access 1000+ invalid sessions? Chances are they are guessing - prevent the IP address from trying any more sessions for a few hours).
#### More Information:
* <a href="https://secure.php.net/manual/en/session.security.php">php.net session security manual</a>
Reference in New Issue View Git Blame Copy Permalink