Session Hijacking - Tricks

Hi guys,

Here I suggest a code to prevent session hijacking, I don’t know I am going in the right way, lets start our discussion to improve more!

I understood the concept here

anyway this might be silly, but I tested works fine.! !

You can put the following code to at onBeginrequest or beforeaction of controller.php file





 if (isset(Yii::app()->session['SERVER_ADDR'])) {

            if (Yii::app()->session['SERVER_ADDR'] != md5($_SERVER['SERVER_ADDR'] . $_SERVER['HTTP_USER_AGENT'])) {

                Yii::app()->request->cookies['PHPSESSID'] = new CHttpCookie('PHPSESSID', rand(1, 1000));

                Yii::app()->request->redirect(Yii::app()->createAbsoluteUrl('site/Hijack')); //Common error page which shows nothing i.e may be access forbidden 

            }

        } else {

            Yii::app()->session['SERVER_ADDR'] = md5($_SERVER['SERVER_ADDR'] . $_SERVER['HTTP_USER_AGENT']);

        }




I don’t get it … Why are you using SERVER_ADDR and not REMOTE_ADDR? And what’s with that new PHPSESSID cookie with hilariously poor entropy?

You can check with your application as follows.

  1. Login to your application and copy the cookie PHPSESSID in a computer1

  2. Open the same application in another computer2 and change the cookie PHPSESSID of computer1 without log in

  3. The computer2 now directly logs into the system.

Then put the above code from this thread at before controller action. Then check the above steps again.

That’s a known issue. The session cookie is essentially authentication by property. If it gets stolen, you’ve lost. I still don’t see why you are using the SERVER_ADDR as a secret. REMOTE_ADDR were a better choice, I think. And there really has to be a better way to invalidate sessions than that.

Thank you so much. It must be REMOTE_ADDR. lets change now… and rewrite the code below…





 if (isset(Yii::app()->session['REMOTE_ADDR'])) {

            if (Yii::app()->session['REMOTE_ADDR'] != md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'])) {

                Yii::app()->request->cookies['PHPSESSID'] = new CHttpCookie('PHPSESSID', rand(1, 1000));

                Yii::app()->request->redirect(Yii::app()->createAbsoluteUrl('site/Hijack')); //Common error page which shows nothing i.e may be access forbidden 

            }

        } else {

            Yii::app()->session['REMOTE_ADDR'] = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);

        }



Kindly let me have more questions from you guys!!!

[color="#008000"]NOTE: moved to proper forum section (Tips, Snippets and Tutorials instead of General Discussion for Yii 1.1.x)[/color]