RE: [PHP] Stopping stolen / spoofed / linked sessions

Fri, 29 Jun 2001 14:58:55 -0700 

Adam,

They way I got around this was to create a session key using a MD5 hash of
the session id and the user's IP address.  The username, session id and
session key are then stored in a MySQL table.  Every time the user loads a
page I want secure, it re-creates the session key and checks to make sure it
matches the information stored in the database.  If that works, then it
checks another table to determine if the user has access to the page or not.
I know that the IP address can be spoofed, but I'm not sending the session
id in the url, so no one knows what it is and without the session id the
session key can not be spoofed.

Hope this helps,
David Price

-----Original Message-----
From: adam (dahamsta) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 27, 2001 10:39 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Stopping stolen / spoofed / linked sessions


[Please copy replies off-list.]

I want to use PHP4 sessions for authentication, but I'm having difficulty
understanding how to get around users spoofing, stealing or linking
sessions.
Here's an example: Alice sends Bob a link from a site she's logged into.
Alice has cookies turned off in her browser, so the session id will be in
the
URL she sends Bob. Eve intercepts the message, follows the link and now she
can take over Alice's session, and any data that is associated with that
session. For that matter, Bob can do the same thing.

I can think of lots of ways around this, but most of them are kludges that
don't really cut it. I can store a second authentication value in a cookie,
but that would require cookies, which isn't acceptable. I could propogate a
second authentication variable in the URL, but that's a lot of hassle and
defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if
the user came from my own site, but that can be spoofed. I can log and check
the users IP address, but that can't be relied upon.

Is there any reliable way around this? Am I missing something obvious?

Cheers,
adam


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to