Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Preventing Session Hijacking?

prevent session hijacking

This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1 Pally

Pally

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 413 posts

Posted 20 December 2013 - 11:41 AM

Hi everyone, I was thinking about session hijacking today and my initial thought was that if I just kept a users IP stored in the session and used a filter on the server to always compare and confirm the IP in session matches the web users IP wouldn't this prevent session hijacking? (Ofcourse assuming a mismatch destroys the session).

 

 

Thank you!

 

 


Your Friendly Neighborhood Pally

#2 WingedPanther73

WingedPanther73

    A spammer's worst nightmare

  • Moderator
  • 17757 posts

Posted 20 December 2013 - 11:45 AM

For the most part, yes. if you have two people who are remote from one network, however, one could hijack the session of the other. If this is on a LAN, you should have it covered, though.


Programming is a branch of mathematics.
My CodeCall Blog | My Personal Blog

My MineCraft server site: http://banishedwings.enjin.com/


#3 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts

Posted 20 December 2013 - 02:06 PM

IP is acceptable because the conditions where dynamic IP addresses change are those where logging in to a website once more will be understandable.

Within IPs, upon login after viewing the website initially, the SID can be regenerated to prevent fixation and a few common exploits where the attacker fixes a SID on to the victim.

i.e.

- attacker of IP 1.2.3.4 forces SID 0123 on to victim with IP 1.2.3.4.

- Victim visits.

- Attacker has session.

- Victim logs in, session is regenerated.

- Attacker no longer has the session.

Alexander.


All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#4 Vaielab

Vaielab

    Programming God

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1382 posts

Posted 21 December 2013 - 04:30 AM

To help prevent session Hijacking, I normally use 2 cookies, verify the ip and part of the browser name (I say part because on firefox, the name change depending if firebug's console is open or not)

And of course, if you have sensitive information, ssl.


You can now stalk me on linkedin: http://ca.linkedin.c...elle/24/b44/88/ !





Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download