Making Session Jacking a Nightmare
Posted: Fri Aug 17, 2012 8:06 pm
Edit (8-18-12):
Some of you may be wondering what Session Jacking is. I will explain it semi-technically, and then as I would to my parents (who are for the most part, computer illiterate.)
Session Jacking is when you look through the network for the cookies that users are sending to a website, and then use those cookies to make it look like you are that user. Pretty much stealing their cookies, and then authenticating yourself as the other person.
Think of it like this: Your child sees your signature, and forges a letter to the teacher using what appears to be your signature.
That signature is the cookie, the letter is the request for the page, and the teacher responds as if you (the parent) really wrote the letter. The signature looks real!
The real problem here is that it will happen, even if your users have the strongest password in the world, and the best salting algorithm on the planet.
Here is how this method works (it is actually multiple methods in one):
1. This checks that the user is coming from the same IP address and user agent. If someone steals your session, and logs in using chrome while your using IE, the authentication will fail.
2. This regenerates the session key every page request. The hacker will have to be pretty fast to steal it, as page requests happen a lot.
3. This uses a method that (I think) will stop Firesheep (a commonly used session jacking plugin for firefox): It has a randomly generated cookie name. The only real way to get the name of that cookie would be to use a regular expression, which I don't think it supported by firesheep. Anyways, you can clutter with a few different fake cookies to make it harder if this method starts failing.
End Edit
Hi everyone!
I thought I would show you a way to protect against one of the most common website hacking methods, session jacking. There is a couple of things you should do first, though:
1. Make sure that the change password page asks for your old password first. Even if session jacking gets through, the hacker can't change the password.
2. Please, Please use a salt.
3. Get the code I (Luke111) posted here: http://indie-resource.com/forums/viewto ... 8&start=10 for the easy and quick database access (mysqli_tgb).
4. Make a user table with at least these fields: ID, Status, FakeID
Okay, now on to the code.
some constants to make life easier:
this is the code to verify the user is logged in.
Okay, so the FakeID is just a field to (help) make sure the cookie is valid. This is kindof like another lock on the door.
Now for the login code:
Now for the logout code:
There is a lot more that you can do with this, but I posted with just a little bit of meat on the bones.
Have fun stopping hackers!
-Luke
Some of you may be wondering what Session Jacking is. I will explain it semi-technically, and then as I would to my parents (who are for the most part, computer illiterate.)
Session Jacking is when you look through the network for the cookies that users are sending to a website, and then use those cookies to make it look like you are that user. Pretty much stealing their cookies, and then authenticating yourself as the other person.
Think of it like this: Your child sees your signature, and forges a letter to the teacher using what appears to be your signature.
That signature is the cookie, the letter is the request for the page, and the teacher responds as if you (the parent) really wrote the letter. The signature looks real!
The real problem here is that it will happen, even if your users have the strongest password in the world, and the best salting algorithm on the planet.
Here is how this method works (it is actually multiple methods in one):
1. This checks that the user is coming from the same IP address and user agent. If someone steals your session, and logs in using chrome while your using IE, the authentication will fail.
2. This regenerates the session key every page request. The hacker will have to be pretty fast to steal it, as page requests happen a lot.
3. This uses a method that (I think) will stop Firesheep (a commonly used session jacking plugin for firefox): It has a randomly generated cookie name. The only real way to get the name of that cookie would be to use a regular expression, which I don't think it supported by firesheep. Anyways, you can clutter with a few different fake cookies to make it harder if this method starts failing.
End Edit
Hi everyone!
I thought I would show you a way to protect against one of the most common website hacking methods, session jacking. There is a couple of things you should do first, though:
1. Make sure that the change password page asks for your old password first. Even if session jacking gets through, the hacker can't change the password.
2. Please, Please use a salt.
3. Get the code I (Luke111) posted here: http://indie-resource.com/forums/viewto ... 8&start=10 for the easy and quick database access (mysqli_tgb).
4. Make a user table with at least these fields: ID, Status, FakeID
Okay, now on to the code.
some constants to make life easier:
Code: Select all
//the fields we can extract from the getuserlevelid_ function
define("FIELD_USERLEVEL",1);
define("FIELD_USERID",2);
define("USERSTATUS_NL",0);
define("USERSTATUS_REGULAR",1);
//add more here for higher user levels than the regular logged in user. maybe admin, or moderator, or something
Code: Select all
session_start();
session_regenerate_id(false);
function getuserlevelid_($field = FIELD_USERLEVEL) {
//make sure the user's variables are set, and are valid. This includes the user agent, the ip address, and the session & cookie variables we will be using
if (isset($_SESSION['PTR'],$_SESSION['HTUA'],$_SESSION['HTIP'],$_COOKIE[$_SESSION['PTR']]) == false || $_SESSION['HTUA'] != $_SERVER['HTTP_USER_AGENT'] || $_SESSION['HTIP'] != $_SERVER['REMOTE_ADDR']) {
return ($field == FIELD_USERLEVEL ? USERSTATUS_NL : 0);
}
//extract the user id and fake id from the cookie.
$q_uid = intval(substr($_COOKIE[$_SESSION['PTR']],strrpos($_COOKIE[$_SESSION['PTR']],",")+1));
$q_fid = intval(substr($_COOKIE[$_SESSION['PTR']],0,strrpos($_COOKIE[$_SESSION['PTR']],",")));
//get the user's status from the user table.
$sql_row = $GLOBALS['con']->s("SELECT `Status` FROM `usertb` WHERE `ID`=? AND `FakeID`=? LIMIT 1",$q_uid,$q_fid);
if (count($sql_row) > 0) {
return ($field == FIELD_USERLEVEL ? $sql_row[0]['Status'] : $q_uid);
} else {
return 0;
}
}
Now for the login code:
Code: Select all
//use your code to get the user's id, status, and other required things from the database
//use your code to make sure the hashed/salted entered password is the same as the hashed/salted database password.
//now, use this code to log in:
//set the session pointer to a random value that is to be the cookie's name
$_SESSION['PTR'] = strval(mt_rand(1000000,9999999));
//set up the fake id to be a random value
$fid = strval(mt_rand(1000000,9999999));
//update the user table to reflect the new fakeid
$con->iud("UPDATE `usertb` SET `FakeID`=? WHERE `ID`=? LIMIT 1",$fid,$userid);
//set the new cookie
setcookie($_SESSION['PTR'],$fid . "," . strval($userid),time()+400000,"/");
//set the other session variables to reflect the user agent/ip address
$_SESSION['HTUA'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['HTIP'] = $_SERVER['REMOTE_ADDR'];
Code: Select all
//do all your pre-logout stuff here...
//reset the fakeid in the database
$con->iud("UPDATE `usertb` SET `FakeID`=? WHERE `ID`=?",strval(mt_rand(1000000,9999999)),$uid);
//unset the session variables
unset($_SESSION['HTUA']);
unset($_SESSION['HTIP']);
//unset the cookie
setcookie($_SESSION['PTR'],"",time()-3600,"/");
//destroy the session variable that stores the cookie name
unset($_SESSION['PTR']);
//destroy the session
session_destroy();
Have fun stopping hackers!
-Luke
