[nycphp-talk] Session security: protecting against hijacking attempts
Tim Toomey
ttoomey at ydnt.com
Wed Dec 15 18:09:56 EST 2004
Eric Rank wrote:
>Hi all,
>
>I'm looking for a good standard practice for authenticating Sessions
>to protect against hijacking attempts. What have you tried? What
>works? What doesn't?
>
>I know that the only REAL way to protext against this is to use SSL,
>but I'm trying to get as secure as possible without SSL.
>
>So far I've decided that as a minimum I can check the user agent and
>the remote ip address on each page request to see if a session is
>hijacked. This is the most obvious way to see if the session is being
>used by a different user. However, these things can be spoofed, and in
>fact, they probably don't even need to be spoofed if 2 users are
>behind the same router and have the same user agent.
>
>What else can one do to protect?
>
>Thanks,
>
>Eric Rank
>
>
I know one thing I did to limit session hijacking is setup your files to
automatically redirect to a portion of your php that kills the session
after say 10 minutes of the page not being changed.
<meta http-equiv=refresh content="600;
URL=http://www.pancorp.com/income_per_image/index.php?action=logout&timeout=1">
Then I have a simple little function I call up inbetween an if statement
asking if action is set and timeout is equal to one to destroy the
session array and log the user out.
--
-Tim Toomey
ttoomey at ydnt.com
More information about the talk
mailing list