Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Preventing Session Hijacking, CSRF

session

  • Please log in to reply
5 replies to this topic

#1 visionviper

visionviper

    CC Lurker

  • Just Joined
  • Pip
  • 5 posts

Posted 25 September 2011 - 08:17 AM

I am creating what amounts to a pretty basic PHP application. I am doing this because I want to learn important concepts in PHP programming and in securing PHP applications for a much bigger project that I have.

So I've been doing my best to read up on different ways of securing PHP applications against different types of attacks and so I think I have found out what appears to be the best ways of preventing these two types of attacks.

Session hijacking: Create an encrypted session id that has to be matched to the decrypted id for that user. (decrypted ID stored in the database?)

CSRF: Create a random code after every request and making sure this matches the next request. (where would this be stored? One in the database and one as a session variable?)

Any comments/help/additional reading you guys can give me on this would be great.
  • 0

#2 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1382 posts
  • Location:Quebec City
  • Programming Language:Java, C++, C#, PHP, JavaScript, Visual Basic .NET, Transact-SQL, ActionScript

Posted 25 September 2011 - 08:40 AM

your method is good, but have a flaw.
If the user send 1 request, and before receiving the response he send a other request (via a other tabs), your protection will flag this as a session hijack.

And you should store thoses variable into session variable. Since you will always need them, and they don't need to be stored after the session is ended.

Me, I like to use the browser info as an additionnal information. Since the same session can't be use in firefox and chrome at the same time, it's a little plus as security. But beware, don't use the whole browser identification string, since on firefox, when firebug is activated the browser id change.

And if you are on a shared browser, you should think to move the directory for your session, or maybe use a mysql session for storing your session
  • 0

#3 visionviper

visionviper

    CC Lurker

  • Just Joined
  • Pip
  • 5 posts

Posted 25 September 2011 - 09:09 AM

your method is good, but have a flaw.
If the user send 1 request, and before receiving the response he send a other request (via a other tabs), your protection will flag this as a session hijack.

And you should store thoses variable into session variable. Since you will always need them, and they don't need to be stored after the session is ended.

Me, I like to use the browser info as an additionnal information. Since the same session can't be use in firefox and chrome at the same time, it's a little plus as security. But beware, don't use the whole browser identification string, since on firefox, when firebug is activated the browser id change.

And if you are on a shared browser, you should think to move the directory for your session, or maybe use a mysql session for storing your session


I didn't even think about different tabs/windows. Can you give me a little more info about how you prevent a CSRF in your PHP applications?
  • 0

#4 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1382 posts
  • Location:Quebec City
  • Programming Language:Java, C++, C#, PHP, JavaScript, Visual Basic .NET, Transact-SQL, ActionScript

Posted 25 September 2011 - 10:34 AM

First thing is to be certain to prevent against xss.
Everything should be sanitize, strip the html of every user input, and if you need the html, you should check it with a script like htmlpurifier or PHPIDS

Than I use two session cookie and I check for the browser name & version before loading the session.

And each time I print a form, I create a special uniq id in a array in a session with the page where the form will take the user and an expired time. And I echo the id inside an input hidden.
The reason I put it in a array, is because of the tabs/windows. A user could load many time the form in multiple windows/tabs and it will still work.
And when the uniq id is used, I delete it from the session. So this can prevent double post too (2 good thing in one)

If you are using zend framework, you could use built-in function, for more info take a look at How to CSRF protect all your forms | CodeUtopia - The blog of Jani Hartikainen

And if you ever find a way to protect more, post it here, I will be happy know about new way to protect myself
  • 0

#5 visionviper

visionviper

    CC Lurker

  • Just Joined
  • Pip
  • 5 posts

Posted 25 September 2011 - 12:22 PM

First thing is to be certain to prevent against xss.
Everything should be sanitize, strip the html of every user input, and if you need the html, you should check it with a script like htmlpurifier or PHPIDS

Than I use two session cookie and I check for the browser name & version before loading the session.

And each time I print a form, I create a special uniq id in a array in a session with the page where the form will take the user and an expired time. And I echo the id inside an input hidden.
The reason I put it in a array, is because of the tabs/windows. A user could load many time the form in multiple windows/tabs and it will still work.
And when the uniq id is used, I delete it from the session. So this can prevent double post too (2 good thing in one)

If you are using zend framework, you could use built-in function, for more info take a look at How to CSRF protect all your forms | CodeUtopia - The blog of Jani Hartikainen

And if you ever find a way to protect more, post it here, I will be happy know about new way to protect myself


So basically if I just extended my existing idea for preventing CSRF attacks to keep track of more than just a single unique value then that should do it? (with correct application of course).
  • 0

#6 visionviper

visionviper

    CC Lurker

  • Just Joined
  • Pip
  • 5 posts

Posted 25 September 2011 - 12:37 PM

First thing is to be certain to prevent against xss.
Everything should be sanitize, strip the html of every user input, and if you need the html, you should check it with a script like htmlpurifier or PHPIDS

Than I use two session cookie and I check for the browser name & version before loading the session.

And each time I print a form, I create a special uniq id in a array in a session with the page where the form will take the user and an expired time. And I echo the id inside an input hidden.
The reason I put it in a array, is because of the tabs/windows. A user could load many time the form in multiple windows/tabs and it will still work.
And when the uniq id is used, I delete it from the session. So this can prevent double post too (2 good thing in one)

If you are using zend framework, you could use built-in function, for more info take a look at How to CSRF protect all your forms | CodeUtopia - The blog of Jani Hartikainen

And if you ever find a way to protect more, post it here, I will be happy know about new way to protect myself


So if I just updated my original idea for CSRF prevention to include a list of valid IDs then that should take care of it, right?
  • 0





Also tagged with one or more of these keywords: session

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download