Solutions To Session Attacks

Recently i wrote two other security article on XSS and SQL Injection. I find many interesting facts and solutions on those topic that i research about and wanted to know more about other security measure. Thus, in this article i will discuss on different type of session attacks and how we can better protect ourselves against these attacks to better secure our web portal.

9 thoughts on “Solutions To Session Attacks

  1. I sort of wrote something the other day about this. Here's my code:
    'session key');

    /**
    * Functions
    */
    /**
    * FUNCTION SHA512_encode
    * Return a BASE 64 encoded SHA-512 encryted string
    *
    * @param string $str
    * @return string
    */
    function SHA512_encode($str)
    {
    return base64_encode(bin2hex(hash('sha512',$str)));
    }

    // Start the session
    session_start();

    // Check for possible session hijacking by comparing the browser's
    // User Agent to the one stored in a session. We store this in the session
    // with a random text key "aszIy09" for obscurity purpouses and the data stored
    // in the element is an encrypted User Agent string with a salt to help further
    // prevent session hijacking.
    //
    // We could have also have named the element that look like some other data
    // that didn't have anything to deal with User Agent information.
    if(isset($_SESSION['aszIy09']) &&
    $_SESSION['aszIy09'] !==
    SHA512_encode($_SERVER['HTTP_USER_AGENT'].$config['salts']['sessions']))
    {
    // A possible session hijacking has been detected.
    // Check if a cookie assocated to the session.
    if(isset($_COOKIE[session_name()]))
    {
    // Kill the cookie assocated to the session.
    setcookie(session_name(), '', time()-42000, '/');
    }

    // Destroy the session itself.
    session_destroy();

    // Start a new session.
    session_start();
    }

    // Check if this is new session
    if(!isset($_SESSION['aszIy09']))
    {
    // New session detected
    // Load with encoded HTTP_USER_AGENT
    $_SESSION['aszIy09'] = SHA512_encode($_SERVER['HTTP_USER_AGENT'].
    $config['salts']['sessions']);

    // Set number of loads to 0 in the session
    $_SESSION['loads'] = 0;
    }

    // Increment the loads
    ++$_SESSION['loads'];

    // Regenerate the session after Nth loads
    // This can be over ridden if the $config['regenSession'] is set to 0
    if(isset($config['regenSession']) && $config['regenSession'] > 0 &&
    $_SESSION['loads'] >= $config['regenSession'])
    {
    // Save old session data. CYA measure.
    $oldSession = $_SESSION;

    // Regenerate the session id.
    session_regenerate_id();

    // Move old data to new session. CYA measure.
    $_SESSION = $oldSession;

    // Reset load count
    $_SESSION['loads'] = 1;
    }

    // Output the session id
    echo 'SESSION ID: '.session_id();

  2. Opps:
    // An example of how to secure your sessions
    // Normally the config data would be an external file
    $config = array();

    // Set the number of loads which you want to regenerate a session id.
    // Set this value to 0 if you do not want to regenerate a session id.
    $config['regenSession'] = 3;

    // Salts for encryption
    $config['salts'] = array('sessions' => 'session key');

    /**
    * Functions
    */
    /**
    * FUNCTION SHA512_encode
    * Return a BASE 64 encoded SHA-512 encryted string
    *
    * @param string $str
    * @return string
    */
    function SHA512_encode($str)
    {
    return base64_encode(bin2hex(hash('sha512',$str)));
    }

    // Start the session
    session_start();

    // Check for possible session hijacking by comparing the browser's
    // User Agent to the one stored in a session. We store this in the session
    // with a random text key "aszIy09" for obscurity purpouses and the data stored
    // in the element is an encrypted User Agent string with a salt to help further
    // prevent session hijacking.
    //
    // We could have also have named the element that look like some other data
    // that didn't have anything to deal with User Agent information.
    if(isset($_SESSION['aszIy09']) &&
    $_SESSION['aszIy09'] !==
    SHA512_encode($_SERVER['HTTP_USER_AGENT'].$config['salts']['sessions']))
    {
    // A possible session hijacking has been detected.
    // Check if a cookie assocated to the session.
    if(isset($_COOKIE[session_name()]))
    {
    // Kill the cookie assocated to the session.
    setcookie(session_name(), '', time()-42000, '/');
    }

    // Destroy the session itself.
    session_destroy();

    // Start a new session.
    session_start();
    }

    // Check if this is new session
    if(!isset($_SESSION['aszIy09']))
    {
    // New session detected
    // Load with encoded HTTP_USER_AGENT
    $_SESSION['aszIy09'] = SHA512_encode($_SERVER['HTTP_USER_AGENT'].
    $config['salts']['sessions']);

    // Set number of loads to 0 in the session
    $_SESSION['loads'] = 0;
    }

    // Increment the loads
    ++$_SESSION['loads'];

    // Regenerate the session after Nth loads
    // This can be over ridden if the $config['regenSession'] is set to 0
    if(isset($config['regenSession']) && $config['regenSession'] > 0 &&
    $_SESSION['loads'] >= $config['regenSession'])
    {
    // Save old session data. CYA measure.
    $oldSession = $_SESSION;

    // Regenerate the session id.
    session_regenerate_id();

    // Move old data to new session. CYA measure.
    $_SESSION = $oldSession;

    // Reset load count
    $_SESSION['loads'] = 1;
    }

    // Output the session id
    echo 'SESSION ID: '.session_id();

  3. I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.

    Susan

    http://dclottery.info

  4. The UA in the session is a good choice but I would suggest you hash it with salt; much like passwords you don't store nor use them in plain text form...

    The same goes for your session tokens, such as UA - hash and salt them just to be sure; you can spoof a UA if it's known, but you can't if it has been hashed and salted.

    Makes no difference at the end of day regards to implementation so don't use tokens in their plain vanilla form.

Comments are closed.