i dont know How to prevent session hijacking and session fixation. i read a book on PHP (cookbook). But i could not grab the concept. so what’s the procedure. pls help Thanks.
@priyankagoundSep 28.2013 — #The best method to prevent session hijacking is to make sure an attacker cannot find out another user’s session ID. This means you should design your application and its session management keeping following things in mind:
1. An attacker cannot guess a valid session ID by using enough entropy.
2. There is no other way for an attacker to obtain a valid session ID by known attacks like sniffing the network communication, Cross-Site Scripting etc.
@NogDogSep 29.2013 — #One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again. This is not a cure-all, but can help in some cases, in particular someone sniffing the cookies on a non-https connection (another good reason to use https?).
It's also a good idea to make the user log in any time they hit a particularly sensitive page and their last log-in was more than some arbitrary time in the past.
For more details and other ideas, I recommend [url=http://phpsecurity.org/]Essential PHP Security[/url].
@gvreSep 29.2013 — #One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again.[/QUOTE]
I would not suggest using the IP for tracking purposes, because a single user can use a different IP address for each request (the request might come from a different proxy). Also, multiple users might use the same IP address (many computer labs use an HTTP proxy).
@NogDogSep 29.2013 — #I would not suggest using the IP for tracking purposes, because a single user can use a different IP address for each request (the request might come from a different proxy).[/quote]
Yes, in theory they [i]could[/i], but I suspect the number of people who use a different proxy for each page request from the same site during the same browsing session are very, very small?
Also, multiple users might use the same IP address (many computer labs use an HTTP proxy).[/QUOTE]
That won't matter for what I'm suggesting, though it would mean that if, say, a co-worker stole your session cookie, then that technique would not help.
@gvreSep 29.2013 — #Yes, in theory they [i]could[/i], but I suspect the number of people who use a different proxy for each page request from the same site during the same browsing session are very, very small?[/QUOTE] Not necessarily. Some ISP's use round-robin proxies for their clients. Furthermore, users may use load balancing on multiple internet connections, so their IP might change often.
(Would seem to agree that the best way is to make the session ID as unknowable as possible (high entropy on the ID, must use HTTPS, note the PHP session settings) and not try to detect changes via IP, user agent header, etc.)