Re: [PHP] Re: Proposal for securing PHP sessions
Ooooh, it's a lesson every day! Right, back to the drawing board :( Justin French [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on 08/09/02 5:04 AM, M1tch ([EMAIL PROTECTED]) wrote: Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. large ISPs like AOL use variable IPs (your IP could change from page to page)... that's a pretty good reason to start with. if people get disconnected, they too are likely to have a new IP on most dial-up ISPs. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
Just out of curiosity, do you know if any part (e.g. x1.x2.x3.x4) of the IP remains static when AOL changes it? Even if it's only the first part, that's better than nothing. I'm having a headache now, because I'm already behind schedule, and this has just thrown a spanner in the works :( (but still thanks for bringing it up now, rather than at production time!) Justin French [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on 08/09/02 5:04 AM, M1tch ([EMAIL PROTECTED]) wrote: Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. large ISPs like AOL use variable IPs (your IP could change from page to page)... that's a pretty good reason to start with. if people get disconnected, they too are likely to have a new IP on most dial-up ISPs. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
Nope, have no idea... I've just allways been told (and adhered to) the rule that you don't trust anything client side, which would include IP address'. Even if you could get it working for AOL, what about some other ISP located in Australia, South Africa, or anywhere else on the planet that you've never heard of? Don't trust IPs. AOL was just an example. Justin on 08/09/02 8:50 PM, M1tch ([EMAIL PROTECTED]) wrote: Just out of curiosity, do you know if any part (e.g. x1.x2.x3.x4) of the IP remains static when AOL changes it? Even if it's only the first part, that's better than nothing. I'm having a headache now, because I'm already behind schedule, and this has just thrown a spanner in the works :( (but still thanks for bringing it up now, rather than at production time!) Justin French [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on 08/09/02 5:04 AM, M1tch ([EMAIL PROTECTED]) wrote: Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. large ISPs like AOL use variable IPs (your IP could change from page to page)... that's a pretty good reason to start with. if people get disconnected, they too are likely to have a new IP on most dial-up ISPs. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Proposal for securing PHP sessions
You're going to be shutting out a lot of AOL users (bah! who needs em! ;p) if you do that, as AOL changes a user's IP address about as often as you read the word the... Dave -Original Message- From: M1tch [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 12:05 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: Proposal for securing PHP sessions Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. Also, I built it using database (using my own session functions in savehandler), that stores the ip as well. This prevents people snooping. Still not 100% secure I imagine, but much better. Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
You could use a SUB NET (o; to block a group of users ie 202.*.*.* would kill most of New Zealand and Oz - Original Message - From: Dave at Sinewaves.net [EMAIL PROTECTED] To: PHPlist [EMAIL PROTECTED]; M1tch [EMAIL PROTECTED] Sent: Sunday, September 08, 2002 8:34 AM Subject: RE: [PHP] Re: Proposal for securing PHP sessions You're going to be shutting out a lot of AOL users (bah! who needs em! ;p) if you do that, as AOL changes a user's IP address about as often as you read the word the... Dave -Original Message- From: M1tch [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 12:05 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: Proposal for securing PHP sessions Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. Also, I built it using database (using my own session functions in savehandler), that stores the ip as well. This prevents people snooping. Still not 100% secure I imagine, but much better. Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
Does it change the IP address while the user is connected? I didn't think that was possible... I only use sessions to store username/password and other limited variables, it's only if they log off and back in again that's they have to log out, and separate cookies automatically handle the login there- so it's pretty seamless. Anyone know about server farms? I vaguely remember reading that you should only use the first three portions of an IP address (e.g. 123.12.123) to be sufficient for a server farm. Dave At Sinewaves.Net [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You're going to be shutting out a lot of AOL users (bah! who needs em! ;p) if you do that, as AOL changes a user's IP address about as often as you read the word the... Dave -Original Message- From: M1tch [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 12:05 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: Proposal for securing PHP sessions Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. Also, I built it using database (using my own session functions in savehandler), that stores the ip as well. This prevents people snooping. Still not 100% secure I imagine, but much better. Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
on 08/09/02 5:04 AM, M1tch ([EMAIL PROTECTED]) wrote: Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. large ISPs like AOL use variable IPs (your IP could change from page to page)... that's a pretty good reason to start with. if people get disconnected, they too are likely to have a new IP on most dial-up ISPs. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
