stackoom
  简体   繁体   中英

Wouldn't regenerate_session_id regenerate the id for someone who intercepts a session id?

 原文  2012-01-05 16:03:40       php/ security/ session

Question

I'm having troubles understanding this, and I think my ignorance to web exploits is to blame. My understanding of session fixation goes like this:

  • Hacker uses some exploit to retrieve the session id of a currently logged in user.
  • Hacker uses session id to access the site, stealing the session and effectively logging in.

It's been recommended that you use regenerate_session_id to reduce the chances the hacker can intercept the session. Now wouldn't that trigger regenerate_session_id, updating the hacker with the session id while simultaneously logging out the user who was originally logged in? This seems like it would cause more harm then good, so I know I must be missing something in the picture here. What am I missing?

1 answers

solution1
 0 ACCPTED  2012-01-05 16:11:55

session_regenerate_id is a good way to prevent session highjacking because highjacking usually occurs in a later step after the session id was stolen.

For example:

  1. Visit a forum which XSS injection
  2. Use clicks on a link and it steals session
  3. User realizes that it's not what he wanted, presses back
  4. Site regenerates a new session id, user is saved, session fixation doesn't occur as the session id stolen is probably not used immediately by the server.

If, for any reason, the fixation comes to be something live and very fast such as an automated process, then no, you're right, this will not save the user. This is why you should not rely only on session_regenerate_id but also on the IP address of the user. 

if(!session_id()){
    session_start();
    if(!isset($_SESSION['user_ip'])){
        $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
    }
    if($_SESSION['user_ip'] !== $_SERVER['REMOTE_ADDR']){
        exit('highjacking detected, session terminated');
    }
    session_regenerate_id();
}

Obviously, if the hack comes from the same network such as a workplace, the ip detection won't work so you can also use a UserAgent check. But this is getting a bit overkill depending on the sensitivity of your data.

Hope it helps...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question regenerate_session_id destroying session information Should I regenerate_session_id on every page? How To regenerate Session id? Check if regenerate_session_id() function actually works / Other security questions getJSON and session_regenerate_id() How to regenerate laravel Session id Issues with session_regenerate_id() Reason to Randomly Regenerate Session ID? Session regenerate id and session_save_path( ); Can't store session data after session_regenerate_id();
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM