[mod] Added security layer in sessions

Development-related discussion, including bundled plugins
beatniak
Bear Rating Trainee
Bear Rating Trainee
Posts: 2
Joined: 17 Mar 2009, 12:09

[mod] Added security layer in sessions

Postby beatniak » 30 Jul 2009, 15:54

The problem
When not using the database for the sessions, the session_id() is "who the user is". So when a hacker reads a Bob's cookie, it can add a cookie named "ttrss_sid" in his own browser (i.e. with firecookie) and add the value of Bob's session_id(). After having that cookie, the server thinks the hacker is Bob.

The solution
Open sessions.php in the root of your install and add this code in the bottom, right below session_start();

Code: Select all

// Beatniak: add a layer of security
  if (!DATABASE_BACKED_SESSIONS && $_SESSION['name']) {
     $client_fingerprint = md5($_SESSION['name'].$_SERVER['REMOTE_ADDR'].session_id().'SOME_RANDOM_STRING'); // change these to whatever you want
    if (isset($_SESSION['fingerprint']))
    {
      if ($client_fingerprint != $_SESSION['fingerprint'])
      {
        die('fingerprint mismatch'); // user isn't who he says he is: HACK ATTEMPT
      }
    }
    else
    {
      $_SESSION['fingerprint'] = $client_fingerprint;// fingerprint created
    }
  }
  // Beatniak: added layer of security


What it does
If you don't use the DB and right after the user is logged in, it will add a variable in the $_SESSION called "fingerprint". In this code, the fingerprint consists of a MD5 hash of:
- the username
- the user's IP address
- the session_id (the string found in the "ttrss_sid" cookie)
- some random string
If the hacker would come along with Bob's session_id(), the server will know the hacker isn't Bob, because the fingerprint doesn't match

Tweaking
In your own environment, you can ofcourse tweak $client_fingerprint with other values, hash it with SHA1() or whatever.

In this case, the user will be kicked if he changes his/her IP address (let's say when using a laptop). You could use another value like HTTP_USER_AGENT, or do this instead of die()

Code: Select all

        // user isn't who he says he is: HACK ATTEMPT
         header("Location: login.php");     


Hope it's helpful to someone.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: [mod] Added security layer in sessions

Postby fox » 30 Jul 2009, 16:37

After having that cookie, the server thinks the hacker is Bob.


Code: Select all

  define('SESSION_CHECK_ADDRESS', true);
   // Bind session to client IP address (recommended)


Return to “Development”

Who is online

Users browsing this forum: No registered users and 2 guests