One thing which would prevent hijacks from simply guessing SIDS would be to add an md5 
hash to the end of a url.... 


If a page was:- doit.php?item=4&SID=237478

then append the url with the md5 of the url PLUS a secret key generated at the 
begining of each session:-
i.e. add MD5("doit.php?item=4&SID=237478"."R4WED4TTE3") results in the new url 


...then the browsed to page could easily verify if ANY details of the query string 
have been changed! This also pretects other info being changed such at in this example 

If a user changed the SID to anything else, even a perfectly valid active session it 
would result in the EXTRA key no longer being valid! and as they don't have access to 
the secret key they wouldn't be able to generate a new one! :) 

Obviously if someone copied the entire url including the extra bit then they would 
have access! but this solution does have the added benefit of preventing the valid 
owner of a valid session from changing other bits of the query string!


> -----Original Message-----
> From: Arcady Genkin [mailto:[EMAIL PROTECTED]]
> Sent: 04 July 2001 06:52
> Subject: Protecting from session hijacking
> Is there any real way to protect against possibility of session
> hijacking?  I thought of checking IP address on subsequent requests,
> but apparently this cannot be relied on because of HTTP proxies etc.
> Any wizdom on the matter?  (I'm already saving the session files in a
> directory protected from unwanted eyes.)
> -- 
> Arcady Genkin
> i=1; while 1, hilb(i); i=i+1; end

Reply via email to