One thing which would prevent hijacks from simply guessing SIDS would be to add an md5
hash to the end of a url....
e.g.
If a page was:- doit.php?item=4&SID=237478
then append the url with the md5 of the url PLUS a secret key generated at the
begining of each session:-
i.e. add MD5("doit.php?item=4&SID=237478"."R4WED4TTE3") results in the new url
like....
doit.php?item=4&SID=237478&EXTRA=GTW4YGSE52FD234WERW634DG5WE653WEF
...then the browsed to page could easily verify if ANY details of the query string
have been changed! This also pretects other info being changed such at in this example
'item'.
If a user changed the SID to anything else, even a perfectly valid active session it
would result in the EXTRA key no longer being valid! and as they don't have access to
the secret key they wouldn't be able to generate a new one! :)
Obviously if someone copied the entire url including the extra bit then they would
have access! but this solution does have the added benefit of preventing the valid
owner of a valid session from changing other bits of the query string!
Ian
> -----Original Message-----
> From: Arcady Genkin [mailto:[EMAIL PROTECTED]]
> Sent: 04 July 2001 06:52
> To: [EMAIL PROTECTED]
> Subject: Protecting from session hijacking
>
>
> Is there any real way to protect against possibility of session
> hijacking? I thought of checking IP address on subsequent requests,
> but apparently this cannot be relied on because of HTTP proxies etc.
> Any wizdom on the matter? (I'm already saving the session files in a
> directory protected from unwanted eyes.)
> --
> Arcady Genkin
> i=1; while 1, hilb(i); i=i+1; end
>
