Reputation:
PHP Session hijack security
I've done quite a bit of research on this. Unfortunately none of the information I found was actually useful. I am looking into a specific case of session hijacking, since I've took steps into securing my sessions but this one I cannot figure out.
What I've set up as a security measure is I've taken a browser fingerprint on session start:
$_SESSION['fingerprint'] = $_SERVER['HTTP_USER_AGENT'];
Every time the session is requested I perform the check
if($_SESSION['fingerprint'] != $_SERVER['HTTP_USER_AGENT']) // Handle accordingly
So with httpOnly enabled there isn't really much left for session hijacking except deceiving wifi routers with unsecured connection or any other type of connection listening, where the attacker will be aware of all request headers, so the complexity of the fingerprint doesn't matter at all. If the attacker was to copy all of his victim's request headers, how could I still protect the session?
Upvotes: 1
Views: 204
Answers (1)
Reputation: 522042
You cannot. A bunch of HTTP headers, of which cookies are one, is the only thing that's identifying a client. Copying/spoofing all of the headers means impersonating a user. There's nothing more you can do really over a public, anonymous connection. If you need anything more, you'd have to start handing out actual secrets to the client out of band, like client-SSL certificates. This is not really practical though.
In practice, if you protect your connection from men in the middle using SSL connections, this is as practical and secure as it gets.
Upvotes: 2
Related Questions
- Preventing session hijacking
- PHP Session Hijacking
- Session hijacking and PHP
- Proper session hijacking prevention in PHP
- PHP Sessions Hijacking and its methods
- PHP Session Security Question
- Session hijacking security
- PHP Protecting from Session Fixation/Hijacking
- Dealing with session hijacking in PHP
- Session injection?