PROGRAMMING

 
REMEMBERS




Last update:   29-10-2021

Session hijacking

If the session identifier is regenerated, they have a new session ID. What if an attacker discovers this new ID. One request header that is particularly helpful and does not change between requests is the User-Agent header.
 
// Secure php.ini settings
ini_set("session.use_trans_sid", 0); // default 0
ini_set("session.use_cookies", 1); // default 1
ini_set("session.use_only_cookies", 1); // default 1

session_start();

if (isset($_GET['btn_submit'])) {
   if ($_GET['username'] == 'john') {
       $_SESSION['username'] = 'john';
       session_regenerate_id(true); // PHPSESSID is changed

       $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
           // Mozilla/5.0 (Windows NT 6.1; WOW64) ....
       
   }    
}    

echo "Sessionid: " . session_id();
echo "Logged user: " . @$_SESSION['username'];
echo "User_Agent: " . $_SERVER['HTTP_USER_AGENT'];

// http://localhost/test.php?PHPSESSID=kta1va58aevngk6r7hkvodspf2

if (! @$_SESSION['username']) {
   if (@$_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) {
       die("Hijack attempt");
   }
}
... 17 lines
 
 
<?php if (! @$_SESSION['username']): ?>
   <form method="GET">
       Username: <input type="text" name="username" value="john"/>
       Password: <input type="password" name="password" />
       <input type="submit" name="btn_submit" value="Log In"/>
   </form>
<?php endif; ?>
... 2 lines
 
It is unlikely that a user will change from one browser to another while using the same session. Test this in another browser (as if you are an attacker).
 
// http://localhost/test.php?PHPSESSID=q3lj07kk0v5ffvan5g1uf4gfl5

// Output: Hijack attempt

Questions    
SSL

        A B C D E F
🔔
1/1