How exactly does session hijacking work in PHP?

If you're on the same IP and using the same browser, all you have to do is duplicating the session ID (and maybe other cookie values: not really sure if browser specific things like its agent string is tracked/compared; this is implementation dependant).

In general, there are different ways to track users (in the end it's just user tracking). For example, you could use a cookie or some hidden value inside the web page. You could as well use a value in HTTP GET requests, a Flash cookie or some other method of authentication (or a combination of these).

In case of Facebook they use several cookie values, so I'd just assume they use one of these values (e.g. 'xs').

Overall, there's no real 100% secure way to do it (e.g. due to man-in-the-middle attacks), but overall, I'd do the following:

  • Upon logging in, store the user's IP address, his browser agent string and a unique token (edit due to comment above: you could as well skip he IP address; making the whole thing a bit less secure).
  • Client side store the user's unique id (e.g. user id) and that token (in a cookie or GET value).
  • As long as the data stored in first step matches, it's the same user. To log out, simply delete the token from the database.

Oh, and just to mention it: All these things aren't PHP specific. They can be done with any server side language (Perl, PHP, Ruby, C#, ...) or server in general.


Lots of good questions, and good on you for asking them.

First.. a session is just a cookie. A 'session' is not something that's part of the HTTP stack. PHP just happens to provide some conveniences that make it easy to work with cookies, thus introducing sessions. PHP chooses PHPSESSID as a default name for the cookie, but you can choose any you want.. even in PHP you can change the session_name.

Everything an attacker has to do is grab that session cookie you're looking at, and use it in its own browser. The attacker can do this with automated scripts or for instance using firebug, you can just change the current cookie values.

So yes, if I have your id.. I can steal your session if you didn't do anything to prevent it.

However.. the hardest part for an attacker is to obtain the cookie in the first place. The attacker can't really do this, unless:

  • They have access to your computer
  • They somehow are able to snoop in on your network traffic.

The first part is hard to solve.. there are some tricks you can do to identify the computer that started the session (check if the user agent changed, check if the ip address changed), but non are waterproof or not so great solutions.

You can fix the second by ensuring that all your traffic is encrypted using HTTPS. There are very little reasons to not use HTTPS. If you have a 'logged in' area on your site, do use SSL!!

I hope this kind of answers your question.. A few other pointers I thought of right now:

  • Whenever a user logs in, give them a new session id
  • Whenever a user logs out, also give them a new session id!
  • Make sure that under no circumstances the browser can determine the value of the session cookie. If you don't recognize the cookie, regenerate a new one!

Tags:

Php

Security

Cookies

Session

Recent Posts