0

I am developing a web application that will handle often sensitive information, many users will have the ability to manipulate other user profiles from lower level. etc.

And the point of security has me a little stuck and worried. I read a lot about hajacking session, men in the middle, session fixation, read many owasp tips and obviously I read many posts on stackoverflow from this topic.

I saw many tutorials showing how to steal a session cookie, such as copy and manipulate cookies in Firefox for example. but I saw in all cases, the attacker has to perform one step and is always the same. Go to the Web app URL domain...

When the attacker is in the URL domain (https://www.myawesomwebapp.com/) and Inject de stolen Authentication COOKIE its the end. but, what happens if the URL it's always different, for example, https://www.myawesomwebapp.com/?time=microtime()

From .htacces, we can put de GET['time'] invisible right? and every time you try to access the web page, obviously it will be in a different time, and the attacker could not know when you SignIn exactly. or maybe encrypt with a special salt that variable GET microtime()...

Finally, one the web app compare somehow the session COOKIE and especially microtime generated login GET['time']. If their match proceed with the script and if not a new login is redirected and the expiry time of the session COOKIE is disabled.

My only doubt with this is, where and how store this microtime data, so that if the legal user opens another browser tab or just F5 in the main, don't regenerate a new microtime value.

  • If I save this data into a COOKIE apart, its the same thing.
  • IF I save this into a PHP SESSION, and the attacker copy my PHPSESSID, its the same.
  • If I save this into my DB, how I get this value without using an COOKIE o SESSION authentication?
Dave Newton
  • 156,572
  • 25
  • 250
  • 300
armate1hernan
  • 105
  • 1
  • 8
  • thanks for the modifications to my post – armate1hernan Dec 31 '13 at 17:13
  • 1
    All you need is to make sure the session ID is unpredictable and is not leaked somehow. Have a look at the [answers to *PHP Session Fixation / Hijacking*](http://stackoverflow.com/a/5082524/53114), they describe quite extensive how to do that with PHP. – Gumbo Dec 31 '13 at 18:28
  • Hi @Gumbo! thanks for the quick comment! I read this link and still have a doubt in this point: **only accept sessions that your application have initiated. You can do this by fingerprinting a session on initiation with client specific information. You can use the User-Agent ID but don’t use the remote IP...**. If a attacker inject stolen Cookies in his browser and start my app how can I know when my app has initiated legaly and when not? this is a kind o authentication also, right? – armate1hernan Dec 31 '13 at 19:10
  • [That aspect is actually some kind of controversial.](http://stackoverflow.com/a/12234563/53114) The main protection against session hijacking and fixation is to make the session ID unguessable and protect it from being obtained by an attacker via leakage or via other attacks. – Gumbo Dec 31 '13 at 19:27
  • thanks again Gumbo! I understand that point is a dangerous area for an indefinite solution. I'll start whit the fixation and hijacking for sessions precautions thinking of caring the **session ID** over all. One last thing: **1)** A user perform a normal login (whit user/pass in a form), **2)** I check that info in MySQL and if is OK set the cookie for that user auth session like **cookie:(hash($userid)+hash($token))** **3)** the next time the application wants to check the identity of the user according to his cookie, how can I check that? with which I can compare the hash($userid) in cookie? – armate1hernan Dec 31 '13 at 19:59
  • Just store the user ID in the session. – Gumbo Dec 31 '13 at 20:02
  • you are a man with great wisdom, by the way how is my english? jeje – armate1hernan Dec 31 '13 at 20:13
  • It’s quite comprehensible. English isn’t my mother-tongue either. – Gumbo Dec 31 '13 at 20:20
  • jaja ok! happy year Gumbo! thanks for all, probably in the next few days I make ask things again, greetings! – armate1hernan Dec 31 '13 at 20:29

0 Answers0