session-hijacking

PHP Sessions + Useragent with salt

限于喜欢 提交于 2019-11-29 10:19:48
问题 It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something like this: $fingerprint = md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']); The salt would make it harder for an attacker to hijack or whatever the session. But WHY add a salt every time you would check it like this: md5('SECRET-SALT'.$_SERVER['HTTP

Session hijacking or attack?

允我心安 提交于 2019-11-28 23:21:11
问题 Lately I have seen this in my error log (1 per day, and I have 40k visitors per day): [22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/my_files/class.session.php on line 67 [22-Sep-2009 21:13:52] PHP Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0 [22-Sep-2009 21:13:52] PHP Warning: Unknown:

Proper session hijacking prevention in PHP

懵懂的女人 提交于 2019-11-27 06:38:26
I know this topic has been discussed a lot , but I have a few specific questions still not answered. For example: // **PREVENTING SESSION HIJACKING** // Prevents javascript XSS attacks aimed to steal the session ID ini_set('session.cookie_httponly', 1); // Adds entropy into the randomization of the session ID, as PHP's random number // generator has some known flaws ini_set('session.entropy_file', '/dev/urandom'); // Uses a strong hash ini_set('session.hash_function', 'whirlpool'); // **PREVENTING SESSION FIXATION** // Session ID cannot be passed through URLs ini_set('session.use_only_cookies'

Session hijacking and PHP

末鹿安然 提交于 2019-11-27 04:01:16
Lets just consider the trust that the server have with the user. Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php) Session sidejacking: SSL encryption for the entire site. Am I safe ? Read OWASP A3-Broken Authentication and Session Management . Also read about OWASP A5-CSRF , which is sometimes called "session riding". You should use this code in a php header file: ini_set('session.cookie_secure',1); ini_set('session.cookie_httponly',1); ini_set('session.use_only_cookies',1); session_start(); This code prevents session fixation . It also

Proper session hijacking prevention in PHP

我们两清 提交于 2019-11-26 12:06:20
问题 I know this topic has been discussed a lot , but I have a few specific questions still not answered. For example: // **PREVENTING SESSION HIJACKING** // Prevents javascript XSS attacks aimed to steal the session ID ini_set(\'session.cookie_httponly\', 1); // Adds entropy into the randomization of the session ID, as PHP\'s random number // generator has some known flaws ini_set(\'session.entropy_file\', \'/dev/urandom\'); // Uses a strong hash ini_set(\'session.hash_function\', \'whirlpool\');

Session hijacking and PHP

早过忘川 提交于 2019-11-26 10:59:35
问题 Lets just consider the trust that the server have with the user. Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php) Session sidejacking: SSL encryption for the entire site. Am I safe ? 回答1: Read OWASP A3-Broken Authentication and Session Management. Also read about OWASP A5-CSRF, which is sometimes called "session riding". You should use this code in a php header file: ini_set('session.cookie_secure',1); ini_set('session.cookie_httponly',1
订阅 session-hijacking