Re: Reality Check: Session Hijacking
From: mrbog (dterrors_at_hotmail.com)
Date: 05/05/04
- Next message: R. Rajesh Jeba Anbiah: "Re: Managing two sessions in different browsers at one time"
- Previous message: R. Rajesh Jeba Anbiah: "Re: fsockopen via ssl"
- In reply to: Daniel Tryba: "Re: Reality Check: Session Hijacking"
- Next in thread: Adriaan: "Re: Reality Check: Session Hijacking"
- Reply: Adriaan: "Re: Reality Check: Session Hijacking"
- Reply: Daniel Tryba: "Re: Reality Check: Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 4 May 2004 22:23:09 -0700
Daniel Tryba <news_comp.lang.php@canopus.nl> wrote in message news:<c7924c$t3q$1@news.tue.nl>...
>
> So instead of sendig it once and storing something in session you want
> to send the vulnerable data over and over again? (Note that I said
> something instead of login/password).
>
(snip)
> Correct. So this has to be prevented. At this point there isn't much one
> can do about the hijacker reading the userdata, only thing that has to
> be prevented is the hijacker changing data, The most simple way to do
> this is to ask for a PIN at these points, offcourse transactions that
> ask for a PIN should only be done over secured (eg ssl) connections.
>
No, you're not thinking deeply enough. Think this through. There IS
"much one can do about the hijacker reading userdata". If you do it
my way- always challenge the user for name and password when he's
viewing secure data, and then pass name/password on hidden form
fields, then you can prevent session hijacking. (With the one
exception of those rare hackers than can actually decript 128 bit ssl,
obviously, which I don't think is what you're arguing here).
With your way, and the way recommended by that zend site, sessions
are wide open to be hijacked. If you challenge the user for
name/password, and then store some "authenticated" bit in the session
(even if it's not name/password, whatever it doesn't matter), then
someone else can see the session id, and create a duplicate request,
going into secure https with that session id, just as user would, and
do whatever he wants (whatever the user could). And neve be
challenged for the password.
Think deeper, don't click the respond button until you get it.
------------------------------------------
Signature:
Never buy the services of newsfeed.com. I am a paying customer but
I'm using google to post messages, so that I can avoid their damn
advertisement showing up in every post I make.
------------------------------------------
- Next message: R. Rajesh Jeba Anbiah: "Re: Managing two sessions in different browsers at one time"
- Previous message: R. Rajesh Jeba Anbiah: "Re: fsockopen via ssl"
- In reply to: Daniel Tryba: "Re: Reality Check: Session Hijacking"
- Next in thread: Adriaan: "Re: Reality Check: Session Hijacking"
- Reply: Adriaan: "Re: Reality Check: Session Hijacking"
- Reply: Daniel Tryba: "Re: Reality Check: Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
