Yii Framework Forum: Session Hijacking - Tricks - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Session Hijacking - Tricks Tips and Tricks Rate Topic: -----

#1 User is offline   Arockia Johnson 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 94
  • Joined: 25-June 13

Posted 04 December 2013 - 02:25 AM

Hi guys,

Here I suggest a code to prevent session hijacking, I don't know I am going in the right way, lets start our discussion to improve more!

I understood the concept here

anyway this might be silly, but I tested works fine.! !

You can put the following code to at onBeginrequest or beforeaction of controller.php file

 if (isset(Yii::app()->session['SERVER_ADDR'])) {
            if (Yii::app()->session['SERVER_ADDR'] != md5($_SERVER['SERVER_ADDR'] . $_SERVER['HTTP_USER_AGENT'])) {
                Yii::app()->request->cookies['PHPSESSID'] = new CHttpCookie('PHPSESSID', rand(1, 1000));
                Yii::app()->request->redirect(Yii::app()->createAbsoluteUrl('site/Hijack')); //Common error page which shows nothing i.e may be access forbidden 
            }
        } else {
            Yii::app()->session['SERVER_ADDR'] = md5($_SERVER['SERVER_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
        }


Thanks & Regards,
S.A. Johnson
www.arojohnson.tk
0

#2 User is offline   Da:Sourcerer 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,222
  • Joined: 30-March 11
  • Location:Berlin, Germany

Posted 04 December 2013 - 02:35 AM

I don't get it ... Why are you using SERVER_ADDR and not REMOTE_ADDR? And what's with that new PHPSESSID cookie with hilariously poor entropy?
programmer /ˈprəʊgramə/, noun: a device that converts ►coffee into ►code
0

#3 User is offline   Arockia Johnson 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 94
  • Joined: 25-June 13

Posted 04 December 2013 - 02:43 AM

You can check with your application as follows.

1. Login to your application and copy the cookie PHPSESSID in a computer1
2. Open the same application in another computer2 and change the cookie PHPSESSID of computer1 without log in
3. The computer2 now directly logs into the system.


Then put the above code from this thread at before controller action. Then check the above steps again.


View PostDa:Sourcerer, on 04 December 2013 - 02:35 AM, said:

I don't get it ... Why are you using SERVER_ADDR and not REMOTE_ADDR? And what's with that new PHPSESSID cookie with hilariously poor entropy?

Thanks & Regards,
S.A. Johnson
www.arojohnson.tk
0

#4 User is offline   Da:Sourcerer 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,222
  • Joined: 30-March 11
  • Location:Berlin, Germany

Posted 04 December 2013 - 02:52 AM

That's a known issue. The session cookie is essentially authentication by property. If it gets stolen, you've lost. I still don't see why you are using the SERVER_ADDR as a secret. REMOTE_ADDR were a better choice, I think. And there really has to be a better way to invalidate sessions than that.
programmer /ˈprəʊgramə/, noun: a device that converts ►coffee into ►code
0

#5 User is offline   Arockia Johnson 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 94
  • Joined: 25-June 13

Posted 04 December 2013 - 02:59 AM

Thank you so much. It must be REMOTE_ADDR. lets change now... and rewrite the code below..


 if (isset(Yii::app()->session['REMOTE_ADDR'])) {
            if (Yii::app()->session['REMOTE_ADDR'] != md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'])) {
                Yii::app()->request->cookies['PHPSESSID'] = new CHttpCookie('PHPSESSID', rand(1, 1000));
                Yii::app()->request->redirect(Yii::app()->createAbsoluteUrl('site/Hijack')); //Common error page which shows nothing i.e may be access forbidden 
            }
        } else {
            Yii::app()->session['REMOTE_ADDR'] = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
        }



Kindly let me have more questions from you guys!!!

View PostDa:Sourcerer, on 04 December 2013 - 02:52 AM, said:

That's a known issue. The session cookie is essentially authentication by property. If it gets stolen, you've lost. I still don't see why you are using the SERVER_ADDR as a secret. REMOTE_ADDR were a better choice, I think. And there really has to be a better way to invalidate sessions than that.




Thanks & Regards,
S.A. Johnson
www.arojohnson.tk
0

#6 User is offline   Maurizio Domba Cerin 

  • Yii - Yesss It Is !!!
  • Yii
  • Group: Yii Dev Team
  • Posts: 4,355
  • Joined: 12-October 09
  • Location:Croatia

Posted 04 December 2013 - 03:08 AM

NOTE: moved to proper forum section (Tips, Snippets and Tutorials instead of General Discussion for Yii 1.1.x)
Find more about me.... btw. Do you know your WAN IP?
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users