Topic awaiting preservation: Sessions SSL (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28564" title="Pages that link to Topic awaiting preservation: Sessions SSL (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Sessions SSL <span class="small">(Page 1 of 1)</span>\$

redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 10-21-2006 01:56 Hey, I've been doing a bit of reading on php sessions... I've got no problems understanding how to use sessions (how to set and get them etc.); I'm just not comfortable with security side of things. I've read a bit about checking IP's and what not along with the sessions but it's just not making a lot of sense to me as I'm just not sure what I'm even trying to stop/block... I do have an SSL set up and I'm wondering how much that covers as far as security goes with session handling... if everything is under the SSL do I even need to worry?
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 10-21-2006 11:46 HTTP (and https) don't have state. Every connection is a 'new connection'. Now a session introduces such state, either via cookies, or by modifiying urls. What you want to prevent is somebody 'stealing a session', ie. transfering the state to another machine. (Note that the attacker needs to somehow capture the session identifier for this). The most common approach to close that (tiny) loophole is to check the client's ip on each visit (and store the ip in your session data ). But you'll lock out people who have 'round robin' proxys, and it won't help against an attacker who's using the same proxy, or can fake the ip ( seldom, but possible). In my mind, it usually isn't worth it. There are only three plausible ways to gain a session id -by listening to network traffic. Those guys are the ones that could have established a transparent proxy for the user in the first place, so you won't gain anything by checking the ip. -by a cross side scripting attack, getting the web browser to send the session id someplace else. Yes you could prevent that attack with ip checking, but you're better of preventing cross side scripting, as it also might be used to create sites that appear to come from you, but contain foreign content. -by having a spy on the users host. Guess what, that spy can also act as a proxy for the attacker, same ip, you still haven't gained anything. So long, ->Tyberius Prime
redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 10-23-2006 02:11 Cool TP, thanks for the info... So basically you don't think it's a worry at all... is bothering with an SSL worth anything as far as sessions go?
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 10-23-2006 08:52 Bothering with encryption is always worth it . (Well, you got to pay for a certificate, or SSL is not only useless, but actually creates a fake sense of security)
redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 10-23-2006 16:07 quote: Well, you got to pay for a certificate, or SSL is not only useless, but actually creates a fake sense of security lol... Thanks again for your help TP!

Topic awaiting preservation: Sessions SSL (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28564" title="Pages that link to Topic awaiting preservation: Sessions SSL (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Sessions SSL <span class="small">(Page 1 of 1)</span>\$

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 10-21-2006 01:56

Hey,

I've been doing a bit of reading on php sessions... I've got no problems understanding how to use sessions (how to set and get them etc.); I'm just not comfortable with security side of things. I've read a bit about checking IP's and what not along with the sessions but it's just not making a lot of sense to me as I'm just not sure what I'm even trying to stop/block... I do have an SSL set up and I'm wondering how much that covers as far as security goes with session handling... if everything is under the SSL do I even need to worry?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 10-21-2006 11:46

HTTP (and https) don't have state.
Every connection is a 'new connection'.

Now a session introduces such state, either via cookies, or by modifiying urls.

What you want to prevent is somebody 'stealing a session', ie. transfering the state to another machine.
(Note that the attacker needs to somehow capture the session identifier for this).

The most common approach to close that (tiny) loophole is to check the client's ip on each visit (and store the ip in your session data ).
But you'll lock out people who have 'round robin' proxys, and it won't help against an attacker who's using the same proxy, or can fake
the ip ( seldom, but possible).

In my mind, it usually isn't worth it. There are only three plausible ways to gain a session id
-by listening to network traffic. Those guys are the ones that could have established a transparent proxy for the user in the first place, so you won't gain anything by checking the ip.
-by a cross side scripting attack, getting the web browser to send the session id someplace else. Yes you could prevent that attack with ip checking, but you're better of preventing cross side scripting, as it also might be used to create sites that appear to come from you, but contain foreign content.
-by having a spy on the users host. Guess what, that spy can also act as a proxy for the attacker, same ip, you still haven't gained anything.

So long,

->Tyberius Prime

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 10-23-2006 02:11

Cool TP, thanks for the info... So basically you don't think it's a worry at all... is bothering with an SSL worth anything as far as sessions go?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 10-23-2006 08:52

Bothering with encryption is always worth it .
(Well, you got to pay for a certificate, or SSL is not only useless, but actually creates a fake sense of security)

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 10-23-2006 16:07

quote:

Well, you got to pay for a certificate, or SSL is not only useless, but actually creates a fake sense of security

lol... Thanks again for your help TP!