|
Session
Security
|
 |
Many
programmers use server sessions to save user data (name,
preferences, etc.) from page to page on their web sites.
But, if you use sessions to control access (i.e. set a session flag
on successful log in and test for that flag on all your password protected
pages) you open yourself to potential 'session hijacking'.
|
Session
hijacking occurs when a malicious user intercepts a valid
session ID from a currently logged in user.
See transmission
security for more about how this may be done.
I won't get into detail about how this is done, but realize that if
you use the generic session ID provided automatically by your server and
if this
ID is intercepted, it can later be used to mimic a
valid and
active
session with the access permissions of the user it was stolen from.
The solution is to generate and check your own unique session ID instead
of using the generic version supplied automatically.
Here's a simple PHP script that accomplishes this.
On log in, set this session variable:
$_SESSION['valid_log'] = array($_SERVER['REMOTE_ADDR'], $_SESSION['userID']);
This creates an array with the unique userID of the valid user and
the IP address of the computer he or she is connecting from.
For every page you want to password protect, check for this session variable:
if ($_SESSION['valid_log'][0]
!= $_SERVER['REMOTE_ADDR'] ||
$_SESSION['valid_log'][1] != $_SESSION['userID'])
{
echo('Invalid Session ID.<br>Your session has been terminated.');
exit();
}
Now, if someone tries to access your password protected pages using an
intercepted session ID from a past session, the above code will catch them
and deny access. |
Next:
Public Information Law and Your Web Site >
|
