Session hijacking
What if an attacker discovers somehow the regenerated token?
# One request header that is particularly helpful ...
# and does not change between requests - User-Agent header
# Secure php.ini settings
ini_set("session.use_trans_sid", 0); // default 0
ini_set("session.use_cookies", 1); // default 1
ini_set("session.use_only_cookies", 1); // default 1
session_start();
if (isset($_GET['btn_submit'])) {
if ($_GET['username'] == 'john') {
$_SESSION['username'] = 'john';
session_regenerate_id(true); # PHPSESSID is changed
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; # Look Here
// Mozilla/5.0 (Windows NT 6.1; WOW64) ....
}
}
echo "Sessionid: " . session_id();
echo "Logged user: " . @$_SESSION['username'];
echo "User_Agent: " . $_SERVER['HTTP_USER_AGENT'];
# http://localhost/test.php?PHPSESSID=kta1va58aevngk6r7hkvodspf2
if (! @$_SESSION['username']) {
if (@$_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) {
die("Hijack attempt");
}
}
<?php if (! @$_SESSION['username']): ?>
<form method="GET">
Username: <input type="text" name="username" value="john"/>
Password: <input type="password" name="password" />
<input type="submit" name="btn_submit" value="Log In"/>
</form>
<?php endif; ?>
It is unlikely that a user will change from one browser to another while using the same session.
# Test this in another browser ...
# as if you are an attacker
http://localhost/test.php?PHPSESSID=q3lj07kk0v5ffvan5g1uf4gfl5
# Output: Hijack attempt
Last update: 330 days ago