Preventing Session Hijacking in PHP
2,237 views
1 Comment
You want make sure an attacker can’t access another user’s session. The solution is to allow passing of session IDs via cookies only, and generate an additional session token that is passed via URLs. Only requests that contain a valid session ID and a valid session token may access the session:
[source:php]
<?php
ini_set(’session.use_only_cookies’, true);
session_start();
$salt = ‘YourSpecialValueHere’;
$tokenstr = (str) date(’W') . $salt;
$token = md5($tokenstr);
if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {
// prompt for login
exit;
}
$_SESSION['token'] = $token;
output_add_rewrite_var(’token’, $token);
?>
[/source]
If you’re using a PHP version earlier than 4.3.0, output_add_rewrite_var( ) is not available.
Adding a session token to links
[source:php]
<?php
ini_set(’session.use_only_cookies’, true);
session_start();
$salt = ‘YourSpecialValueHere’;
$tokenstr = (str) date(’W') . $salt;
$token = md5($tokenstr);
if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {
// prompt for login
exit;
}
$_SESSION['token'] = $token;
ob_start(’inject_session_token’);
function inject_session_token($buffer)
{
$hyperlink_pattern = “/<a[^>]+href=\”([^\"]+)/i”;
preg_match_all($hyperlink_pattern, $buffer, $matches);
foreach ($matches[1] as $link) {
if (strpos($link, ‘?’) === false) {
$newlink = $link . ‘?token=’ . $_SESSION['token'];
} else {
$newlink = $link .= ‘&token=’ . $_SESSION['token'];
}
$buffer = str_replace($link, $newlink, $buffer);
}
return $buffer;
}
[/source]
The regular expression for matching hyperlinks in the inject_session_token( ) function isn’t bulletproof; it will not catch hyperlinks with href attributes quoted with single quotes.
Discussion
This example creates an auto-shifting token by joining the current week number together with a salt term of your choice. With this technique, tokens will be valid for a reasonable period of time without being fixed.
We then check for the token in the request, and if it’s not found, we prompt for a new login.
If it is found, it needs to be added to generated links. output_add_rewrite_var( ) does this easily. Without output_add_rewrite_var( ), we continue generating the page and declare an output buffer callback function that will make sure that any hyperlinks on the page are modified to contain the current token before the page is displayed.
Note that the inject_session_token( ) function in the example does not address imagemaps, form submissions, or Ajax calls; make sure that you adjust any such functionality on a page to include the session token that’s been generated and stored in the session.
- Cache in PHP
- .htaccess for Webmasters
- Get All URLs on a Page
- PHP script to display Google PageRank
- Interstitial pages with javascript
- Using PHP to get prices from Amazon.com
- Login Control in Visual Studio 2005
- Creating the Ajax application with Java
- Creating a Multilayer Drop-Down Menu
- Creating sortable lists with PHP and Ajax
- Watercolor WordPress Layout
- Moon Shine Text Effect
- Create Stylized Vector Dog Tags
- How to do two-color jobs, add varnish plates, and other specialty printing inks
- Animated Interface
- Making of the Pandora
- Colorize an old Photo
- How to Design a Dramatic Winged Dragon with Photoshop
- Energy Blast
- Add a Fresh Splash to your Design
Login
Friends' Sites
Contact Us
Categories
- 3D
- ASP
- C#
- CSS
- Database
- Flash
- GIMP
- Hosting
- Illustrator
- Java
- Javascript
- Linux
- Photoshop
- PHP
- Web Design
- Windows
1 Comment
Jump to comment form | comments rss [?] | trackback uri [?]