Solved

Problem with IP address check (for avoiding session hijack)

Posted on 2009-04-07
5
834 Views
Last Modified: 2013-12-12
Hi,

I am working on a PHP application that uses authentication / session / cookies. The login pages use HTTPS, whereas others use the plain HTTP.

As a part of strengthening the server security against session hijack, we used the REMOTE_ADDR check.

While this worked well when the application is used through DSL Internet connection, it started to fail when used via Dial-up.

Upon investigation, we found that the IP address assigned to the client computer did not change on every request. The problem was that the Dial up provider connected to the Internet using a proxy server (for plain HTTP pages), but connected directly to the server for HTTPS. Hence, the REMOTE_ADDR for login page (HTTPS) was the client computer's assigned IP address, but for the subsequent pages the REMOTE_ADDR was the address of the proxy server.

We tried using the quoted code to check for the HTTP_X_FORWARDED_FOR when forwarded by Proxy server. While this worked for one of the Dialup providers, it did not work for the another Dialup service provider, as they did not seem to set the HTTP_X_FORWARDED_FOR when forwarded by Proxy.

Can you please suggest a solution for such a situation (i.e., a good check to avoid session hijack for all possible users)? The application is meant mainly for users from Guyana, South America.

Regards,
Stephanas
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

  {

    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

  }

  else

  {

    $ip = $_SERVER['REMOTE_ADDR'];

  }

Open in new window

0
Comment
Question by:UGDSS
  • 4
5 Comments
 
LVL 19

Accepted Solution

by:
NerdsOfTech earned 500 total points
ID: 24092817
Use SESSIONS instead for authentication. ALL of the SERVER VARIABLES you are depending on are vulnerable to HEADER COUNTERFEITING.

0
 
LVL 19

Assisted Solution

by:NerdsOfTech
NerdsOfTech earned 500 total points
ID: 24092826
AND (this is the import stuff here) use BEST METHOD tactics:

Prevention

Methods to prevent session hijacking include:

    * Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
    * Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.
    * Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.
    * Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
    * Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web).
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24092846
The first (long random session IDS) AND the last (ccokie change) seem to be the most effective.
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24092897
If you are geting a lot of hijacks implement SSL on your server and make it mandatory for users.

If so, cookies will be required to avoid certain attacks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
This video teaches users how to migrate an existing Wordpress website to a new domain.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now