Recipe 11.2. Preventing Session Hijacking


11.2.1. Problem

You want make sure an attacker can't access another user's session.

11.2.2. Solution

Allow passing of session IDs via cookies only, and generate an additional session token that is passed via URLs. Only requests that contain a valid session ID and a valid session token may access the session:

<?php ini_set('session.use_only_cookies', true); session_start(); $salt     = 'YourSpecialValueHere'; $tokenstr = (str) date('W') . $salt; $token    = md5($tokenstr); if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {     // prompt for login     exit; } $_SESSION['token'] = $token; output_add_rewrite_var('token', $token); ?>

If you're using a PHP version earlier than 4.3.0, output_add_rewrite_var( ) is not available. Instead, use the code in Example 11-1.

Adding a session token to links

<?php ini_set('session.use_only_cookies', true); session_start(); $salt     = 'YourSpecialValueHere'; $tokenstr = (str) date('W') . $salt; $token    = md5($tokenstr); if (!isset($_REQUEST['token']) || $_REQUEST['token'] != $token) {     // prompt for login     exit; } $_SESSION['token'] = $token; ob_start('inject_session_token'); function inject_session_token($buffer) {     $hyperlink_pattern = "/<a[^>]+href=\"([^\"]+)/i";     preg_match_all($hyperlink_pattern, $buffer, $matches);     foreach ($matches[1] as $link) {         if (strpos($link, '?') === false) {             $newlink = $link . '?token=' . $_SESSION['token'];         } else {             $newlink = $link .= '&token=' . $_SESSION['token'];         }         $buffer = str_replace($link, $newlink, $buffer);     }     return $buffer; }

The regular expression for matching hyperlinks in the inject_session_token( ) function isn't bulletproof; it will not catch hyperlinks with href attributes quoted with single quotes.

11.2.3. Discussion

This example creates an auto-shifting token by joining the current week number together with a salt term of your choice. With this technique, tokens will be valid for a reasonable period of time without being fixed.

We then check for the token in the request, and if it's not found, we prompt for a new login.

If it is found, it needs to be added to generated links. output_add_rewrite_var( ) does this easily. Without output_add_rewrite_var( ), we continue generating the page and declare an output buffer callback function that will make sure that any hyperlinks on the page are modified to contain the current token before the page is displayed.

Note that the inject_session_token( ) function in the example does not address imagemaps, form submissions, or Ajax calls; make sure that you adjust any such functionality on a page to include the session token that's been generated and stored in the session.

11.2.4. See Also

Recipe 18.1 for more information on regenerating IDs to prevent session fixation.




PHP Cookbook, 2nd Edition
PHP Cookbook: Solutions and Examples for PHP Programmers
ISBN: 0596101015
EAN: 2147483647
Year: 2006
Pages: 445

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net