0

I've been searching for 3 days, how to correctly validate user information in nodejs socket.io server, only thing that gets passed to server, are cookies, like PHPSESSID, etc. if needed.

My question is: what if user changes his PHPSESSID cookie value to something else, like friends cookie value, then reinitialize socket server connection, all the traffic that supposed to be sent to my friend will be sent to me instead. (user to user private communication)

Even if i use memcached server to store sessions, there is only one thing that validates users, that is session id again, how should i validate user session ?

I cant change session store location, because i am using PHP Wave framework. Are there alternatives to socket.io, but more secure?

Karli Ots
  • 729
  • 1
  • 8
  • 22
  • This is an expected vulnerability in all web applications. If you can steal someone's cookies you can impersonate them. – Chris Apr 10 '16 at 12:44
  • this problem has a name: session hijacking. – Federkun Apr 10 '16 at 12:48
  • @Federico Hi, Is `session_regenerate_id()` can be solution for session hijaking ? – mertizci Apr 10 '16 at 13:25
  • there's not really a solution here, just way to prevent it. using https and regenerate the session id can help, but that's just a piece of the puzzle (if the session data is store in a database, a sql injection can be a problem - or a xss, or a million of other possible problem). – Federkun Apr 10 '16 at 13:33

1 Answers1

0

Its not hundered percent solution but you can use session_regenerate_id(). It will regenerate session id without closing it. See this thread: PHP Session Fixation / Hijacking

Community
  • 1
  • 1
mertizci
  • 538
  • 3
  • 12