Alberto Serra wrote: > Chris Shiflett wrote: > >> How do sessions help against this? Well, they don't solve the problem >> entirely, of course, but the unique ID you pass around won't be the >> same unique ID *every* time that user visits the site. So, you at >> least have a good chance of making the window of time that an >> imposter has to work with very small. > > > If you want to avoid even this small window, just store on a db file > the session numbers you give away, along with the IP address of the > user who got it. Then when you get a new request for that session > check the IP you are getting it from and you are 100% sure the guy is > who he says to be.
The 100% part is inaccurate. :) IPs can also be spoofed, but this is good advice, because it further complicates attacks. Anything you can do to make an attack more difficult is a good idea, but you can get to a point where the decrease in risk just isn't going to be worth the extra effort. So, while Mr. Serra's suggestion is a very good one, remember that any security model can be improved. As a caveat to Mr. Serra's suggestion, remember that there are *many* users who will go through an IP masquerading gateway or proxy, so their IP may fluctuate, even though they are actively browsing. For this reason, it is often necessary to tolerate some fluctuation in the IP address, perhaps only in the last octet though. Another thing some people use to strengthen their security model is to involve some sort of sequence number in the data that the client sends back. For example, instead of just a session ID, perhaps you have a cookie, URL variable, or whatever that is an encrypted (two-way so you can decrypt it) session ID, sequence number, and anything else you might think of to include. When you decrypt this at the beginning of each script, you make sure the sequence number is not less than the last sequence number sent (which you store on the server), that the timestamp is acceptable to you, and that the session ID in the encrypted string matches the session ID they are using. This presents a sort of race condition for a potential attacker where he/she must respond with the sequence number prior to the client's next request. This will make the window of opportunity as small as the client's time spent on a particular page. That's just another idea or two. You can probably improve on that with your own creativity; just don't get carried away. :) Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
