Reputation: 43
Good Method To Prevent Session Hijacking?
Scenario: Upon starting a session on my site, I generate a rand token that is shown to the user that once. Say they “store” it away for later use. I then, INSERT the md5(token) into SQL with timestamp. When the user visits other pages like login, they would have to pass the token via URL as part of the validation process. I would check to see if the token exist and maybe UPDATE userid to this token.
So. Even if someone steals a user’s PHPSESSID cookie, wouldn’t it do ANY good to the hacker since they can’t access any of these pages without knowing the token?
Upvotes: 0
Views: 633
Answers (1)
Reputation: 2413
You are right that they won't be able to access the pages without the token, but as an added point, sometimes I'd like to use IP tracking or browser tracking used concurrently as well.
The rationale being that even if someone gets a PHPSESSID cookie and the token, he would have to be coming from the same IP source as well as use the same browser. Then again these are just means of security by obscurity.
I recommend if you are really concerned about security, you can try looking at using a HTTPS connection. Hope it helped. Cheers!
Upvotes: 1
Related Questions
- Preventing session hijacking
- Effective way to protect session hijacking in php
- Prevent PHP sesison hijack, are these good ideas?
- Session hijacking countering methods
- Proper session hijacking prevention in PHP
- How to integrate these pieces of code to protect against session hijacking
- PHP Protecting from Session Fixation/Hijacking
- Dealing with session hijacking in PHP
- Session hijack resulting in token exposure
- PHP: Preventing Session Hijacking with token stored as a cookie?