What's $.02 to you is worth $2M to me. Thanks. I hear you say the https will probably give me the protection I need. I'm planning to use that in production. I'll also use $REMOTE_ADDR with this test.
On Wed, 2003-02-19 at 13:13, Micah J. Cowan wrote: > On Wed, Feb 19, 2003 at 12:12:27PM -0500, Alan H. Lake wrote: > > I'm creating a PHP program that I'd like to protect against an attempt > > to "hijack" a session. I want to insure that the IP address of the > > machine using the session is the same as that which started the > > session. The approach that I'm using is that, if the session's IP is > > not stored in the session file, I'll store it. If it is, I check to see > > whether it matches the current IP. If the two don't match, I think I've > > been hijacked. > > Well, since this method only protects someone from attackers with other > world-visible IP addresses, leaving no protection from attackers who > might be behind the same proxy, or attackers who have access to a > router between your server and the user--and since there are easier > methods--I wouldn't really have bothered with this, but... > > > > > The problem is that I'm getting a false alarm because the 4th node of > > the current IP doesn't always match that of the IP that started the > > session. The other three nodes do match. > > > > Here are my questions. Do I have adequate protection if I check just > > the first three nodes? Is there a better way to detect such an attempt? > > I can't figure out how this could be: is a proxy choosing between a > group of IPs at whim for masquerades? I can't think of why this would be... > > But to answer your question: no. It leaves the victim susceptible to > attack by up to 254 other users. Still better than *everybody*, but > it's still just limited protection. > > > The PHP code that I am using to get the IP addresses is this: > > if (getenv(HTTP_X_FORWARDED_FOR)) > > $ipaddr = getenv(HTTP_X_FORWARDED_FOR); > > else > > $ipaddr = $REMOTE_ADDR; > > You should just use $REMOTE_ADDR. In this case, you *do* want the IP > of the ISP's proxy server, since that's the only IP address that you are > actually in contact with. This still leaves the user open to attack > from others on the same ISP.... But I'll bet that's why you're getting > different IPs for the same session: Maybe the ISP is setting > X-Forwarded-For: for some requests and not others; or maybe it is > setting them erroneously. Either way, you will get different results > each time. But (I'm pretty sure) you can't get different IPs for > $REMOTE_ADDR if you're being accessed by the same machine for a > session. > > As I've pointed out a couple times, there are still, in pretty much > all cases, groups of users who can "hijack" the session, if you are > vulnerable to such attacks. A better idea is just to use a fairly > random selection process for the session id, with enough bits that one > couldn't hijack the session without knowing the id. As to those who > are along the route such that they *can* see the id, blocking by IP > only affords limited protection, since IP-spoofing is a possibility in > that case. > > In most cases, it's simply not worth worrying about people who can spy > "on-route", since that is usually only a theoretical vulnerability > (i.e., few crackers actually practice this, or are in a position > to). In those cases where extreme security must be exercised, you can > use HTTPS, or a challenge-response-style authentication for every HTTP > request. > > HTH; just my $0.02, > Micah > _______________________________________________ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech ________________________________________________________________________ Alan H. Lake Lake Information Works 6999 Dolan Road Glouster, OH 45732-9003 Phone: 888-806-4201 Fax: 309-279-8695 Cell: 916-276-0913 Email: [EMAIL PROTECTED] Site: www.lakeinfoworks.com _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
