Session spoofing (PHP)

verbumSapienti picture verbumSapienti · Jul 1, 2013 · Viewed 11.4k times · Source

I am coding a website in PHP that contains the boolean $_SESSION['logged_in']. This is set to true when a username and password match are present in the database.

I am quite new to sessions and was just wondering if it could be possible for an unregistered (or, for that matter, registered) user to bypass the login process by setting this boolean to true, as would be possible with a cookie.

I understand that the user would have to manipulate a server-side variable from the client-side, but my questions are how easy would this be, how would the user go about accomplishing such a task, are there any known exploits, and what are the best practices / preventative measures to avoid this sort of attack?

Answer

Eugen Rieck picture Eugen Rieck · Jul 1, 2013

Let's start with the good news: The $_SESSION array is by default completly invisible and inmanipulable by the client: It exists on the server, and on the server only, in an execution environment, that is not open to the client.

Now back to earth: It is quite easy, to get your PHP code "nearly right" and thus open a door between the client and the session as seen by the server. In addition to this, stealing a client session (including a cookie) is quite easy.

I recommend a few mitigations, that have been proven quite effective:

  • Do not store a "logged in" value - instead store a "session cookie" value, and set the cookie to the client. On a client request make something along the lines of $loggedin=($_SESSION['cookie']==$_COOKIE['session']). This makes the attacker need both: cookie and session ID.
  • Refresh the session cookie quite often, on a wrong cookie kill the session. If a black hat steals cookie and session, the next click by the real user will log out both and create a logable event.
  • If your requests come from JS, think of creating a simple authentication function: Instead of sending the authentication token, salt it, pepper it with a timestamp, then hash it. Send salt, timestamp and hash. Make the server check the timestamp.