NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session security: protecting against hijacking attempts

Adam Fields fields at surgam.net
Wed Dec 15 18:00:56 EST 2004


On Wed, Dec 15, 2004 at 04:47:07PM -0600, Eric Rank wrote:
> Is that it? Nothing else I can do to prevent it? Thus far this is the
> conclusion that I've come up with too. It's slightly disturbing....
> but web security vulnerabilities make me pretty squeemish. Is this
> something that needs to be worried about, or am I just paranoind?

Er... this isn't limited to wireless - anyone between the server and
the user can eavesdrop on everything that crosses the wire, and
consequently fake it.

What's the aversion to SSL? It's not perfect, but it exists precisely
to try to address this exact problem.


> On Wed, 15 Dec 2004 15:55:50 -0500, csnyder <chsnyder at gmail.com> wrote:
> > As you said, SSL is the only way to be sure.
> > 
> > If I'm using your website through my evil neighbor's wireless access
> > point, and she decides to hijack my session, there is nothing we can
> > do about it. She'll probably duplicate my user-agent header, she has
> > the same ip address, and if she passes the same session cookie then
> > she *is* me, as far as your server can tell.
> > 
> > It used to be that a hijacker had to live inside the ISP to be able to
> > capture the packets -- but with wireless, anyone can play.
> > 
> > You can prevent inadvertant hijacking by requiring cookies.
> > Otherwise... good luck.
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org

-- 
				- Adam

-----
[ http://www.aquick.org/blog ]
[ http://www.adamfields.com ][ http://del.icio.us/fields ]
[ http://www.aquick.org/photoblog ][ http://www.aquick.org/gallery ]





More information about the talk mailing list