On Wed, Feb 19, 2003 at 12:12:27PM -0500, Alan H. Lake wrote: > I'm creating a PHP program that I'd like to protect against an attempt > to "hijack" a session. I want to insure that the IP address of the > machine using the session is the same as that which started the > session. The approach that I'm using is that, if the session's IP is > not stored in the session file, I'll store it. If it is, I check to see > whether it matches the current IP. If the two don't match, I think I've > been hijacked.
Well, since this method only protects someone from attackers with other world-visible IP addresses, leaving no protection from attackers who might be behind the same proxy, or attackers who have access to a router between your server and the user--and since there are easier methods--I wouldn't really have bothered with this, but... > > The problem is that I'm getting a false alarm because the 4th node of > the current IP doesn't always match that of the IP that started the > session. The other three nodes do match. > > Here are my questions. Do I have adequate protection if I check just > the first three nodes? Is there a better way to detect such an attempt? I can't figure out how this could be: is a proxy choosing between a group of IPs at whim for masquerades? I can't think of why this would be... But to answer your question: no. It leaves the victim susceptible to attack by up to 254 other users. Still better than *everybody*, but it's still just limited protection. > The PHP code that I am using to get the IP addresses is this: > if (getenv(HTTP_X_FORWARDED_FOR)) > $ipaddr = getenv(HTTP_X_FORWARDED_FOR); > else > $ipaddr = $REMOTE_ADDR; You should just use $REMOTE_ADDR. In this case, you *do* want the IP of the ISP's proxy server, since that's the only IP address that you are actually in contact with. This still leaves the user open to attack from others on the same ISP.... But I'll bet that's why you're getting different IPs for the same session: Maybe the ISP is setting X-Forwarded-For: for some requests and not others; or maybe it is setting them erroneously. Either way, you will get different results each time. But (I'm pretty sure) you can't get different IPs for $REMOTE_ADDR if you're being accessed by the same machine for a session. As I've pointed out a couple times, there are still, in pretty much all cases, groups of users who can "hijack" the session, if you are vulnerable to such attacks. A better idea is just to use a fairly random selection process for the session id, with enough bits that one couldn't hijack the session without knowing the id. As to those who are along the route such that they *can* see the id, blocking by IP only affords limited protection, since IP-spoofing is a possibility in that case. In most cases, it's simply not worth worrying about people who can spy "on-route", since that is usually only a theoretical vulnerability (i.e., few crackers actually practice this, or are in a position to). In those cases where extreme security must be exercised, you can use HTTPS, or a challenge-response-style authentication for every HTTP request. HTH; just my $0.02, Micah _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
