Session Hijacking

[litewarez]

yea VB / PHPBB they have Session Fixation Implemented already, this mainly for personal apps you create.

Another method that i would bet face-book's code goes along is something like this .

PHP Code: 

$timeout = 60 * 60; // 1 hour
$fingerprint = md5('MY-SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']);

session_start();

if(
    (isset($_SESSION['last_active']) && (time() > ($_SESSION['last_active']+$timeout)))
    || (isset($_SESSION['fingerprint']) && $_SESSION['fingerprint']!=$fingerprint)
    || isset($_GET['logout']) )
{
    //Logout!
}

session_regenerate_id(); //ALWAYS BEFORE
$_SESSION['last_active'] = time();
$_SESSION['fingerprint'] = $fingerprint; 


And within your html create a javascript file to ping the server every 30 seconds to keep them alive. this is called a heartbeat.

[timtamboy63]

Another way is to create a database with session keys and IP's or maybe IP ranges? Then, check whether the session id and IP match up. If not throw an error, etc

[litewarez]

yea tam that's usually how forum systems like to handle it, the exact same method but different storage method thats all

[timtamboy63]

oh cool, i didnt know that, how do they store it?

[Xman]

depending on your settings in IPB session hijacking can occer but there are settings you can use under the security settings that can help prevent it. Just be careful with them as some will make it to where users can't login or can not stay logged in.

Nice tut Litewarez

[litewarez]

thanks

[Bread]

Gah! Always forget to do this *smh* thanks for reminding me for my new script

[litewarez]

Yea heres an example of it in action in LitePHP witch i now use for anysite or system i create

PHP Code: 

<?php
class Library_session
{
    private $_session = array();
    public $_core_timeout = 600; //10 Minuetes (Sufficiant ?)
    
    function __construct()
    {
        if(!session_id())
        {
            ini_set('session.use_cookies', 'On');
            ini_set('session.use_trans_sid', 'Off');
            session_set_cookie_params(0, '/');
            
            //Prevent session hijacking by regeneration!
            session_regenerate_id();
            session_start();
        }
        $this->_session =& $_SESSION;
        
        //Scan the suer agent to prevent session hijackin
        $this->checkHijackAttempt();
    }
    
    private function checkHijackAttempt()
    {
        if(isset($this->_litephp_security))
        {
            if($this->_litephp_security != md5($_SERVER['HTTP_USER_AGENT']) || $this->_litephp_security_t < (time() + $this->_core_timeout))
            {
                unset($this->_session);
                unset($_SESSION);
                session_destroy();
            }
        }else
        {
            //As the session is fresh we create a UA hash!
            $this->_litephp_security    = md5($_SERVER['HTTP_USER_AGENT']);
        }
        $this->_litephp_security_t    = time(); //Timeout
    }
    
    //Usage $this->Library->Session->some_var('trim',array('Library_user','check_id')); //will trim and get the returned value from 2nd funtion
    function __call($key,$args)
    {
        if(!isset($this->_session[$key]))
        {
            return false;
        }
        
        $return = $this->_session[$key];
        
        foreach($args as $func)
        {
            if(is_callable($func))
            {
                $return = call_user_func_array($func,$return);
            }
        }
        return $return;
    }
    
    function __get($key)
    {
        return isset($this->_session[$key]) ? $this->_session[$key] : false;
    }
    
    public function __set($key,$val)
    {
        $this->_session[$key] = $val;
    }
}
?>

this only uses level 2 security, witch I will be upgrading soon