minte9
LearnRemember / PHP



Session hijacking

What if an attacker discovers somehow the regenerated token? 
  
# One request header that is particularly helpful ...
# and does not change between requests - User-Agent header

# Secure php.ini settings
ini_set("session.use_trans_sid", 0); // default 0
ini_set("session.use_cookies", 1); // default 1
ini_set("session.use_only_cookies", 1); // default 1

session_start();

if (isset($_GET['btn_submit'])) {
   if ($_GET['username'] == 'john') {
       $_SESSION['username'] = 'john';
       session_regenerate_id(true); # PHPSESSID is changed

       $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; # Look Here
           // Mozilla/5.0 (Windows NT 6.1; WOW64) ....
       
   }    
}    

echo "Sessionid: " . session_id();
echo "Logged user: " . @$_SESSION['username'];
echo "User_Agent: " . $_SERVER['HTTP_USER_AGENT'];

 
# http://localhost/test.php?PHPSESSID=kta1va58aevngk6r7hkvodspf2

if (! @$_SESSION['username']) {
   if (@$_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) {
       die("Hijack attempt");
   }
}

 
<?php if (! @$_SESSION['username']): ?>
   <form method="GET">
       Username: <input type="text" name="username" value="john"/>
       Password: <input type="password" name="password" />
       <input type="submit" name="btn_submit" value="Log In"/>
   </form>
<?php endif; ?>
It is unlikely that a user will change from one browser to another while using the same session. 
 
# Test this in another browser ...
# as if you are an attacker

http://localhost/test.php?PHPSESSID=q3lj07kk0v5ffvan5g1uf4gfl5
    # Output: Hijack attempt



  Last update: 504 days ago