Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Kristian K. <kr...@ko...> - 2002-12-04 15:42:55
|
On Wed, Dec 04, 2002 at 04:09:15PM +0100, Giancarlo wrote:
> No cookie, only GET, and no possibility to guess or steal the second
> half. A lot of CPU on 'refilling' the array once exhausted, though.
You do not need different hashes on different URLs, or at least
I cannot see why you should. Instead the session can have an
internal sequence number, which is appended to the SID in a
hashed form. So you do
$validator = md5($sess->id . $sess->seq . $sess->magic);
and append "{$sess->id}-$validator" to each sid in a URL. Also, you
increment $sess->seq in page_open() as soon as you instantiated
$sess.
Using the saved $sess->seq from the session, you can validate
the session id by precalculating the validator and compare it to
the validator you received.
This will protect the session against replay attacks, and will
also prevent insertion of requests from an attacker into a
sequence of requests from a legitimate user, because the
attacker cannot predict the validator without knowledge of the
proper $sess->seq AND knowledge of the $sess->magic.
It will also make sessions very fragile, no more back buttons at
all. I do not recommend this for any production environments.
Use SSL instead. Saves you the pain of the implementation,
protects against more attacks and is easier to deploy.
Kristian
|
