Re: [PHP-DEV] session security
Keyser Soze [EMAIL PROTECTED] wrote... : There's also something I'm using in my session scripts. I compare the browser referer with all the possible pages it must have come from in each script, this way the user MUST start from the login page, and not can simply type the url with the session id. I only tested it with Internet Explorer 5 and Mozilla (don't remember the version now), it worked fine. This is an insecure method as HTTP_REFERER is being sent by browser. One can simply create a socket connection inputing that variable into the HTTP request headers. -- Maxim Maletsky [EMAIL PROTECTED] []'s Keyser Soze - Original Message - From: Sascha Schumann [EMAIL PROTECTED] To: Hans Prins [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, February 11, 2003 2:08 AM Subject: Re: [PHP-DEV] session security Can anyone point me to a possible solution for this? 1. Use SSL. 2. Throw away an existing session id, if a user authenticated successfully (e.g. destroy the old session, and copy the data into a new one). 3. Provide a logout button which destroys the session. - Sascha -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] session security
There's also something I'm using in my session scripts. I compare the browser referer with all the possible pages it must have come from in each script, this way the user MUST start from the login page, and not can simply type the url with the session id. I only tested it with Internet Explorer 5 and Mozilla (don't remember the version now), it worked fine. []'s Keyser Soze - Original Message - From: Sascha Schumann [EMAIL PROTECTED] To: Hans Prins [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, February 11, 2003 2:08 AM Subject: Re: [PHP-DEV] session security Can anyone point me to a possible solution for this? 1. Use SSL. 2. Throw away an existing session id, if a user authenticated successfully (e.g. destroy the old session, and copy the data into a new one). 3. Provide a logout button which destroys the session. - Sascha -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] session security
Thx guys, I'll play around with it some more and see if I can secure it some more :) Hans Prins Keyser Soze [EMAIL PROTECTED] schreef in bericht 009201c2d1cd$ec7cd4e0$81aed2c8@keysersoze">news:009201c2d1cd$ec7cd4e0$81aed2c8@keysersoze... There's also something I'm using in my session scripts. I compare the browser referer with all the possible pages it must have come from in each script, this way the user MUST start from the login page, and not can simply type the url with the session id. I only tested it with Internet Explorer 5 and Mozilla (don't remember the version now), it worked fine. []'s Keyser Soze - Original Message - From: Sascha Schumann [EMAIL PROTECTED] To: Hans Prins [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, February 11, 2003 2:08 AM Subject: Re: [PHP-DEV] session security Can anyone point me to a possible solution for this? 1. Use SSL. 2. Throw away an existing session id, if a user authenticated successfully (e.g. destroy the old session, and copy the data into a new one). 3. Provide a logout button which destroys the session. - Sascha -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] session security
On Tue, 11 Feb 2003, Hans Prins wrote: Thx guys, I'll play around with it some more and see if I can secure it some more :) Keep in mind that many proxies remove the referrer information. - Sascha -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] session security
Im currently trying to secure a php program where I authenticate a user against an md5 string stored in a mysql database.. My problem is that since this program consists out of more that one pages, I am using a session and I register the md5 string and username as session variables. As I heard that session information can be quite easily sniffed by proxies, I started to think about how to secure this info or prevent someone from abusing it. I input the following code: $headers = getallheaders(); foreach ($headers as $name = $content) { echo headers[$name] = $contentbr\n; } and I saw something like this: headers[Cookie] = PHPSESSID=141502d33b8467NNgffhFGHGfh36c which I then appended to the url of my program like so: http://www.mydomain.com/myscript.phpPHPSESSID=141502d33b8467NNgffhFGHGfh36c I closed all browser windows and tried that url (leading me to think that that sesid should have expired).. But it gave me full access to all pages clicked from myscript.php. So I looked at the session.cache_expire which was set to 180. Which means that it wil expire in 180 seconds? Anyway. the next day I tried again with the same PHPSESSID appended to the url and it gave full access. Can anyone point me to a possible solution for this? Thank you, Hans Prins [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] session security
Can anyone point me to a possible solution for this? 1. Use SSL. 2. Throw away an existing session id, if a user authenticated successfully (e.g. destroy the old session, and copy the data into a new one). 3. Provide a logout button which destroys the session. - Sascha -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php