Session Capture Prevention

Question

Session Capture Prevention

How do you prevent multiple clients from using the same session identifier? I ask about this because I want to add an extra layer of security to prevent session hijacking on my website. If a hacker somehow identifies a different user session identifier and makes requests with this SID, how can I find that different clients use the same SID on the server and then reject the capture attempt?

EDIT

I accepted Gumbo's answer after careful consideration, because I came to the realization that what I ask is not possible due to the limitations of the HTTP protocol without state. I forgot about what is perhaps the most fundamental principle of HTTP, and now when I think about this question it seems a little trivial.

Let me clarify what I mean:

After user A logs on to example.com, he will be given a random session identifier, for simplicity, let it be "abc123". This session identifier is stored as a cookie on the client side and verified through a server-side session to ensure that the user who is logged in remains logged in when switching from one web page to another. Of course, this cookie should not exist if HTTP was not stateless. For this reason, if user B steals user SID and creates a cookie with the value "abc123" on his computer, he successfully hijacked the session of user A, but the server simply cannot legitimately recognize that user B is different from User A's requests, and therefore the server has no reason to reject the request. Even if we must list the sessions that were already active on the server and try to find out if someone has access to an already active session, how can we determine that this is another user who is accessing the session illegally, and not the same a user who is already logged in with a session identifier, but is simply trying to make another request with it (i.e. go to another web page). We can not. Checking user agent? It can be faked, but nonetheless as good as protection in depth. IP address? It can change for legitimate reasons - but instead of not checking the IP address at all, I suggest checking something like the first two octets of IP, since even a user on the network with data that constantly changes IP for legitimate reasons will usually have only the last two octets of the IP address change.

In conclusion, stateless HTTP status condemns us for never being able to completely protect our sites from session hijacking, but good methods (like those provided by Gumbo) will be good enough to prevent the vast majority of session attacks. Attempting to protect sessions from hijacking, refusing several requests of the same SID, so it’s just ridiculous and will defeat the whole purpose of the sessions.

+60

security php session

hesson Sep 02

source share

9 answers

Can we do something like this.

Save the session ID to the database. Also save the IP address and HTTP_USER_AGENT for this session identifier. Now, when the request comes to the server containing the corresponding session identifier, check which agent and ip it comes from from your script.

You can make this work by making a general function or class for the session so that every request is checked before it is processed. This is unlikely to take a few seconds. But, if many users visit your site, and you have a huge database of sessions, then this can be a small performance problem. But, of course, this would be very safe compared to other methods, such as => Using regenerative sessions.

When recovering session identifiers, there is again little chance of session hijacking.

Suppose that the user session identifier is copied and this user does not work or does not work for some time, and the old session identifier is not requested on the server, which requires the regeneration of a new one. Then, if the session identifier is captured, the hacker will use this session identifier and make a request to the server with this identifier, then the server will respond with the regenerated session identifier and so that the hacker can continue to use the services. The actual user will no longer be able to work because he is not aware of what the regenerated identifier is and what identifier of the request session should be transmitted upon request. Completely gone.

Please correct me if I am mistaken somewhere.

+4

kanchan Jun 17 '14 at 14:13

source share

There are many standard protections against session hijacking. One of them is to map each session to one IP address.

Other schemes may use HMAC generated from:

IP client network address
user agent header sent by client
SID
secret key stored on the server

The reason that only the network IP address is used is that the user is behind a public proxy, in which case their IP address may change with each request, but the network address remains the same.

Of course, to really be secure, you really have to force SSL for all requests so that the SID cannot be intercepted by potential attackers in the first place. But not all sites do this (:: cough :: Stack Overflow :: cough: :).

+2

Lèse majesté 02 Sep

source share

In my opinion, you can store the session identifier in the database when users log in and check everyone for the same thing until they log in. Delete the same session identifier that you saved in the database when users logged out. You can easily find the session id for each user, or I can help you.

+1

Sk MiRaj Sep 02

source share

One of the simple implementations can be done by creating a table in the database as registered users, and then upon logging in, updating this table with the username and SID, this will prevent the use of other logins as the same user, exit from the system, just run a simple query that deletes the registered data in the database, it can also be used to track login to the user's site on the website at the same time.

+1

Ratan Kumar Sep 02

source share

Obviously, when you set the session cookie in the browser, this cookie is sent in the request. Now, when the request arrives, the server will verify the session identifier in the database and provide access. To prevent only the agent and ip from saving it, so that before checking the server, make sure that access to the sessions is provided to a unique client, and not to a unique session identifier that can be captured.

+1

kanchan Jun 18 '14 at 7:44

source share

I know well about the coding part. Therefore, I can say that this is an algorithm. Setting up files such as SSL, or setting up a session cookie for protection, and httpOnly does not work if the user sniffs the session identifier from the local network (if the user and the attacker are on the same local network).

So, what can you do when the user successfully logs into the application, set a unique token on each page of the web application and save it on the server side. Thus, if a valid user sends a request to access a specific page, the token of that page will also be sent to the server. Since the tokens are unique to the user for a specific session, even if an attacker can obtain a session identifier, he cannot capture a user session because he cannot provide a valid token for the server.

0

Anandu M Das Oct. 16 '14 at 13:26

source share

@Anandu M Das:

I believe that you can reference the use of session tokens with each session identifier. This site may explain the use of tokens with sessions:

https://blog.whitehatsec.com/tag/session-token/

Although session tokens are easily compromised by an XSS attack, this does not mean that they should never be used. I want to say that if something was compromised by a security vulnerability on the server, this is not a method error, it is a mistake of the programmer who introduced this vulnerability (to highlight the points made by Hesson and Rook).

If you adhere to the appropriate security conventions and practices and protect your site from SQL injection, XSS, and require all sessions to be managed via HTTPS, you can easily manage a potential attack from CSRF using server-side tokens stored in the session and updated every time the user invokes manipulations with their session (for example, $ _POST sent). Also, NEVER store sessions or their contents in a URL, no matter how well you think they are encoded.

When the security of your users is paramount (which should be), using session tokens will provide better or enhanced functionality without compromising the security of the session.

0

user253780 Sep 26 '15 at 22:42

source share

Session hijacking is a serious threat that needs to be addressed using the secure socket layer for an advanced application that includes transactions, or using simple methods such as using cookies, session timeouts and identifier regeneration, etc. As described above.
When the Internet arrived, HTTP communications were designed to be stateless; that is, the connection between the two objects exists only for the short period of time necessary to send the request to the server, and the received response is sent back to the client. Here are a few methods that hackers use to break into a session.

Network eavesdropping
Involuntary exposure
Forwarding, Proxies, and Phishing
Reverse Proxies

Always recommend SSL Secure Sockets Layer
Use cookies also to follow the ini_set () directives at the beginning of your scripts to override any global settings in php.ini:

 ini_set( 'session.use_only_cookies', TRUE ); ini_set( 'session.use_trans_sid', FALSE );

Use session timeouts and session regeneration identifier

 <?php // regenerate session on successful login if ( !empty( $_POST['password'] ) && $_POST['password'] === $password ) { // if authenticated, generate a new random session ID session_regenerate_id(); // set session to authenticated $_SESSION['auth'] = TRUE; // redirect to make the new session ID live header( 'Location: ' . $_SERVER['SCRIPT_NAME'] ); } // take some action ?>

0

Manjeet Kumar Nai Apr 17 '19 at 21:53 on

source share

Gumbo · Accepted Answer · 2012-09-02 08:45

Unfortunately, there is no effective way to accurately identify a request coming from an attacker, as opposed to a genuine request. Since most of the properties that control the measurements, such as the characteristics of the IP address or user agent, are either unreliable (the IP address can change among several requests), or they can be easily faked (for example, the User-Agent request header) and, therefore, can produce undesirable false positives (i.e., genuine user IP address) or false negatives (i.e., an attacker was able to successfully request a request with the same User-Agent).

This is why the best way to prevent session hijacking is to make sure that the attacker cannot find out another user session id. This means that you must develop the application and its session management so that (1) the attacker cannot guess the actual session identifier using sufficient entropy, and (2) that there is no other way for the attacker to get the actual session identifier using known attacks / vulterabilities such as sniffing network communications, crossite scripting, leaking through referer, etc.

However, you must:

use random enough input to generate a session id (see session.entropy_file , session.entropy_length and session.hash_function )
use HTTPS to protect the session identifier during transmission.
save the session id in the cookie and not in the url to avoid leakage though referer (see session.use_only_cookies )
set a cookie with the HttpOnly and Secure attributes to prohibit access via JavaScript (in the case of XSS vulnerabilities) and to prohibit transmission over an insecure channel (see session.cookie_httponly and session.cookie_secure )

In addition, you must also restore the identifier of a session that is not valid old (see session_regenerate_id function ) after changing the state of a session (for example, authentication after logging in or changing authorization / privileges), and you can additionally do this periodically to reduce the time interval to successfully attack session capture.

Session Capture Prevention

More articles: