PHP Sessions Hijacking and its methods

Question

I was trying to build my own secure PHP Sessions Class, when i was actually wondering what's stopping someone from emulating the session?

IE, why wouldn't a code on test.php

$_SESSION['logged_in'] = true;

Not be able to work on index.php where

if($_SESSION['logged_in'] == True){
 echo 'logged in';
}

I understand that the way about this is to secure the session by generating a secure ID by locking it to the IP Address and User Agent, but how exactly does that work?

Meaning if i were able to guess the session ID would i be able to set the $_SESSION['logged_in'] = true and emulate the login? Should i then change the SESSION variable to check for login to a more secure one?

Sorry for my questions and hope i make some sense...

Answer 1

First of all, session data is only stored on the server, so an outside client can't simply create their own session data and send it to your server.

It therefore comes down to actually guessing the session identifier of someone else and assume their identity; this is quite difficult, but not impossible. In a situation whereby an attacker can tap the network traffic between the victim and your server, it's downright impossible to stop them.

There are a few things you can adopt to make things safer, though:

1. Use SSL; see also session.cookie_secure.
2. Generate identifiers from a good random source, i.e. /dev/urandom on Linux machines; see also session.entropy_file.
3. Regenerate the identifier when a user logs in or out; see also session_regenerate_id()
4. Use HttpOnly cookies (and only cookies) to perpetuate a session identifier; see also session.use_only_cookies and session.cookie_httponly.
5. Use strict sessions; see also session.use_strict_mode.

6. Keep a computed hash of the user agent in the session and make sure it doesn't change, e.g.:

   $_SESSION['_agent'] = sha1($_SERVER['HTTP_USER_AGENT']);
   

7. Try to reduce the lifetime of a session as short as possible and use an advanced "remember me" feature to regenerate sessions as they expire.

It's also important to know when a potential hijack has taken place and take appropriate action when that happens. You will need to keep track of which sessions belong to which user so that you can invalidate all of them when one of them has been breached.

Btw, locking the session to an IP address is tricky; some ISP's will make it seem that a user comes from various addresses or multiple users come from the same address. Either way, it might be better to keep track of the user agent, since that's less likely to change.

Answer 2

Guessing the session id is not session hijacking. It is harder than to guess a password. But yes, if someone did get a session id, they would gain full access to the account in question.

Locking by the ID address simply means that you store the original IP address the user used when logged in in the session itself and check it at the beginning of every request to see if it hasn't changed. This way, even if an attacker gets the correct session id, they still won't be able to use it.

There's a good Wikipedia article on the topic, as well as related StackOverflow questions: 1, 2.