Предпазване от (session hijacking)

За да се предпазим от session hijacking - добър вариант ли е следния код?
PHP:
ini_set('session.cookie_httponly', TRUE);

//стартираме сесия
session_start();

//Проверяваме дали е сетната $_SESSION['last_ip'] и ако не е казваме, че тя равна на $_SERVER['REMOTE_ADDR'] (IP адреса, от който потребителят разглежда страницата)
if(isset($_SESSION['last_ip']) === FALSE){
    $_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
}

//правим проверка дали IP-то записано в сесията е равно на IP-то от което браузваме и ако не е равно унищожаваме сесията!
if($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']){
    session_unset();
    session_destroy();
}
 
You cannot directly prevent session hijacking. You can however put steps in to make it very difficult and harder to use.

  • Use a strong session hash identifier: session.hash_function in php.ini. If PHP < 5.3, set it to session.hash_function = 1 for SHA1. If PHP >= 5.3, set it to session.hash_function = sha256 or session.hash_function = sha512.

  • Send a strong hash: session.hash_bits_per_character in php.ini. Set this to session.hash_bits_per_character = 5. While this doesn't make it any harder to crack, it does make a difference when the attacker tries to guess the session identifier. The ID will be shorter, but uses more characters.

  • Set an additional entropy with session.entropy_file and session.entropy_length in your php.ini file. Set the former to session.entropy_file = /dev/urandom and the latter to the number of bytes that will be read from the entropy file, for example session.entropy_length = 256.

  • Change the name of the session from the default PHPSESSID. This is accomplished by calling session_name() with your own identifier name as the first parameter prior to calling session_start.

  • If you're really paranoid you could rotate the session name too, but beware that all sessions will automatically be invalidated if you change this (for example, if you make it dependent on the time). But depending on your use-case, it may be an option...

  • Rotate your session identifier often. I wouldn't do this every request (unless you really need that level of security), but at a random interval. You want to change this often since if an attacker does hijack a session you don't want them to be able to use it for too long.

  • Include the user agent from $_SERVER['HTTP_USER_AGENT'] in the session. Basically, when the session starts, store it in something like $_SESSION['user_agent']. Then, on each subsequent request check that it matches. Note that this can be faked so it's not 100% reliable, but it's better than not.

  • Include the user's IP address from $_SERVER['REMOTE_ADDR'] in the session. Basically, when the session starts, store it in something like $_SESSION['remote_ip']. This may be problematic from some ISPs that use multiple IP addresses for their users (such as AOL used to do). But if you use it, it will be much more secure. The only way for an attacker to fake the IP address is to compromise the network at some point between the real user and you. And if they compromise the network, they can do far worse than a hijacking (such as MITM attacks, etc).

  • Include a token in the session and on the browsers side that you increment and compare often. Basically, for each request do $_SESSION['counter']++ on the server side. Also do something in JS on the browsers side to do the same (using a local storage). Then, when you send a request, simply take a nonce of a token, and verify that the nonce is the same on the server. By doing this, you should be able to detect a hijacked session since the attacker won't have the exact counter, or if they do you'll have 2 systems transmitting the same count and can tell one is forged. This won't work for all applications, but is one way of combating the problem.
 
@Sky Тури още един за по-сигурно да не закръгли дабъла само с 2 :D.
Ако не слагаш плейн парола (пълни данни на кредитната карта и подобни) в сесията няма какво да ти пука. А за сигурност има темп таблици, файлова система...

ПП Няма смисъл да правиш проверка стойност + тип на isset тази функция връща само булева стойност.
 
Последно редактирано:

Горе