NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session security: protecting against hijacking attempts

Eric Rank flakie at gmail.com
Wed Dec 15 17:47:07 EST 2004


Is that it? Nothing else I can do to prevent it? Thus far this is the
conclusion that I've come up with too. It's slightly disturbing....
but web security vulnerabilities make me pretty squeemish. Is this
something that needs to be worried about, or am I just paranoind?

Eric Rank




On Wed, 15 Dec 2004 15:55:50 -0500, csnyder <chsnyder at gmail.com> wrote:
> As you said, SSL is the only way to be sure.
> 
> If I'm using your website through my evil neighbor's wireless access
> point, and she decides to hijack my session, there is nothing we can
> do about it. She'll probably duplicate my user-agent header, she has
> the same ip address, and if she passes the same session cookie then
> she *is* me, as far as your server can tell.
> 
> It used to be that a hijacker had to live inside the ISP to be able to
> capture the packets -- but with wireless, anyone can play.
> 
> You can prevent inadvertant hijacking by requiring cookies.
> Otherwise... good luck.



More information about the talk mailing list