1

I'm currently working on a new website for a client that stores personal information and credit card info on the site. As such, security is a big concern for me. This is the first site I've built that has sensitive information on it, and so I'm not very familiar with the whole subject.

The site manages users using sessions. However, I'm finding it hard to keep the sessions secure. I want to implement a User Agent check that checks the browser every time a page is loaded. This way, when I copy the session ID into a manually-created cookie on my 'attacker' browser, the server will detect the user agent change (from Chrome to Firefox) and reject the session.

My question is, if I do implement this check to run EVERY time a page is loaded, do I run the risk of logging out my legitimate user? Is there any reason that the true user would change their user agent between pages? And if so, how likely is this to happen? Likely enough that I should abandon this approach entirely, or is it an acceptable risk?

EDIT: The cookies are set to expire as soon as the browser is closed. Also, the user agent that is set upon login is stored in the session and is hashed after a salt is appended to it.

Thyrus017
  • 43
  • 2
  • 11
  • 4
    Use SSL. If you're not using SSL, there is no real security. If people can hijack your session ID, the user agent is *not* a remotely acceptable check to detect this. It's no better than nothing at all. – user229044 Aug 15 '14 at 19:15
  • 5
    "Is there any reason that the true user would change their user agent between pages?" Not really, no. But it's not the true user's you should be concerned about. It's the people trying to break in. Anyone can change the browser's user-agent, so IMO, it's a wasted check. – j08691 Aug 15 '14 at 19:16
  • Related: [Preventing session hijacking](http://stackoverflow.com/q/12233406/53114) – Gumbo Aug 15 '14 at 19:29
  • 1
    If you are not an expert on web security and you are handling credit card details, you should not be handling credit card details. Why are you not pushing this to a third party like World Pay or Paypal? – halfer Aug 15 '14 at 19:50
  • 1
    *"Also, the user agent that is set upon login is stored in the session and is hashed after a salt is appended to it."* That is so wildly unnecessary as to indicate you don't know what hashing or salting is for. You really **must** not take on credit card details. Security is one of the hardest problems and you have absolutely *no* chance of getting it right on your first try. The cost for failure if you're storing credit cards is far, far too high to risk it. – user229044 Aug 15 '14 at 20:02
  • @CorporalHart Also, that link doesn't answer the question you asked, and we also don't accept link-only answers on Stack Overflow. – user229044 Aug 15 '14 at 20:03
  • @meagar You're right, I'm going to rethink the entire approach to the site security-wise and outsource any payment functionality to a third party. Better safe than sorry. – Thyrus017 Aug 15 '14 at 20:09

1 Answers1

6

Yes, the user-agent string can change. Session cookies often last longer than an individual browser session. If a user upgrades their browser (very common these days with the auto-updaters in Chrome and Firefox) then a different version will appear in the user-agent string.

In addition, some plugins are reported in the user-agent string, causing it to change if a user installs one.

Your user-agent string check doesn't really offer any additional security. I don't recommend it.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • 2
    Also, if someone can steal the browser session cookie - then they probably already have the UA as well. – Xeoncross Aug 15 '14 at 19:50
  • Just discovered (not especially surprisingly) that developer tools switching into/out of mobile modes can change the user agent string between requests. So this technique can also impede development of responsive interfaces, too. – Stuart Watt Jun 15 '20 at 19:54