Re: [PHP] Session Theft
Aside from SSL (which I wouldn't even know where to begin at this point). Is there not a way to determine what gets sent with the headers or to block the referring address from another site? B. - Original Message - From: "Haseeb Iqbal" <[EMAIL PROTECTED]> To: "Beauford.2002" <[EMAIL PROTECTED]> Sent: Saturday, March 29, 2003 10:04 PM Subject: Re: [PHP] Session Theft > the session is created such that a file is created that (the file contains > all the variables for that perticular user) referenced by the session id. > now consider a situation where the user open a link to external site and > that external site is recording all the link where the user is comming > from.that is done by $_SERVER['HTTP_REFERER'] (in php). now suppose the user > did not closed the session and the external websites author (suppose is not > a person with ethics) uses that rederer address.and then what heppens.HE IS > IN another persons account.now he can do anything the REAL user can do. > now you should have the idea how it can be stolen. > > now for the security. you can conduct everything over ssl. this is what i > got when i posted my message on this list. > what i am doing is i am gathering every bit of information from the user.and > storing that information along with some extra things this will minimize the > risk but it won't completly remove the risk. > > i am still learning how to master this field.if you get any idea lemme know. > > regards > Haseeb > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Theft
Can someone explain how this works as I am in the process of doing a login/authentication page and want to make it as secure as possible B. - Original Message - From: "Haseeb Iqbal" <[EMAIL PROTECTED]> To: "PHP General list" <[EMAIL PROTECTED]> Sent: Friday, March 28, 2003 11:48 PM Subject: [PHP] Session Theft > i just want to figure out a way by which i can stop session theft.i thought > if i can get something from user end that is unique for that user.for e.g. > his/her IP .but it will not work when they are behind firewall.they will be > assigned same IP.is there a way for me to get the IP (e.g.202.202.202.202 > thats just an e.g. ) plus computer ip(192.168.0.1 e.g.) i saw once a java > chat server do this.if we can do this then it will help us (SOMEWHAT). > > if anyone has better suggestion just let me know > Haseeb > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Theft
You can give the users the oportunity to turn ip check on (a checkbox in the login form). There is also a header that is set by many proxies to the ip address of the client, but I don't remember its name (maybe (X-)Forwarded-For) Haseeb Iqbal wrote: i just want to figure out a way by which i can stop session theft.i thought if i can get something from user end that is unique for that user.for e.g. his/her IP .but it will not work when they are behind firewall.they will be assigned same IP.is there a way for me to get the IP (e.g.202.202.202.202 thats just an e.g. ) plus computer ip(192.168.0.1 e.g.) i saw once a java chat server do this.if we can do this then it will help us (SOMEWHAT). if anyone has better suggestion just let me know Haseeb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Theft
> i just want to figure out a way by which i can stop session theft.i thought > if i can get something from user end that is unique for that user.for e.g. > his/her IP .but it will not work when they are behind firewall.they will be > assigned same IP.is there a way for me to get the IP (e.g.202.202.202.202 > thats just an e.g. ) plus computer ip(192.168.0.1 e.g.) i saw once a java > chat server do this.if we can do this then it will help us (SOMEWHAT). Conduct your business over SSL. That's the only way, otherwise everything is sent plain text and can be intercepted. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Theft
check into forcing the use of trans_sid Jim - Original Message - From: "Haseeb Iqbal" <[EMAIL PROTECTED]> To: "PHP General list" <[EMAIL PROTECTED]> Sent: Friday, March 28, 2003 8:48 PM Subject: [PHP] Session Theft > i just want to figure out a way by which i can stop session theft.i thought > if i can get something from user end that is unique for that user.for e.g. > his/her IP .but it will not work when they are behind firewall.they will be > assigned same IP.is there a way for me to get the IP (e.g.202.202.202.202 > thats just an e.g. ) plus computer ip(192.168.0.1 e.g.) i saw once a java > chat server do this.if we can do this then it will help us (SOMEWHAT). > > if anyone has better suggestion just let me know > Haseeb > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Theft
i just want to figure out a way by which i can stop session theft.i thought if i can get something from user end that is unique for that user.for e.g. his/her IP .but it will not work when they are behind firewall.they will be assigned same IP.is there a way for me to get the IP (e.g.202.202.202.202 thats just an e.g. ) plus computer ip(192.168.0.1 e.g.) i saw once a java chat server do this.if we can do this then it will help us (SOMEWHAT). You could store the HTTP_USER_AGENT in the session when it starts. Then compare the browser being used against this stored value on subsequent pages. HTTP_USER_AGENT won't always be unique and it's not foolproof but it is a little extra security with minimal effort. Larry -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Theft
Hi Haseeb, > if i can get something from user end that is unique > for that user.for e.g. his/her IP . Firstly, an IP address can be shared between multiple users, or it can change constantly for one user. Here's what a page request from an AOL user looks like (I've snipped the request paths, but left the timestamps and IPs untouched): 205.188.209.165 - - [14/Jan/2003:13:01:36 +] 205.188.209.9 - - [14/Jan/2003:13:01:37 +] 205.188.208.38 - - [14/Jan/2003:13:01:37 +] 205.188.208.134 - - [14/Jan/2003:13:01:38 +] 205.188.209.77 - - [14/Jan/2003:13:01:38 +] 205.188.208.136 - - [14/Jan/2003:13:01:39 +] 205.188.209.48 - - [14/Jan/2003:13:01:40 +] 205.188.208.169 - - [14/Jan/2003:13:01:40 +] 205.188.209.72 - - [14/Jan/2003:13:01:41 +] [...] Notice how the IP changes - they requested the page from 205.188.209.165, and then got each of the images from a separate IP. > but it will not work when they are behind firewall.they will > be assigned same IP.is there a way for me to get the IP (e.g. > 202.202.202.202 thats just an e.g. ) plus computer ip(192.168. > 0.1 e.g.) i saw once a java chat server do this. Instead of just checking the REMOTE_ADDR, try this: Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php