Solved

Problem with IP address check (for avoiding session hijack)

Posted on 2009-04-07
5
839 Views
Last Modified: 2013-12-12
Hi,

I am working on a PHP application that uses authentication / session / cookies. The login pages use HTTPS, whereas others use the plain HTTP.

As a part of strengthening the server security against session hijack, we used the REMOTE_ADDR check.

While this worked well when the application is used through DSL Internet connection, it started to fail when used via Dial-up.

Upon investigation, we found that the IP address assigned to the client computer did not change on every request. The problem was that the Dial up provider connected to the Internet using a proxy server (for plain HTTP pages), but connected directly to the server for HTTPS. Hence, the REMOTE_ADDR for login page (HTTPS) was the client computer's assigned IP address, but for the subsequent pages the REMOTE_ADDR was the address of the proxy server.

We tried using the quoted code to check for the HTTP_X_FORWARDED_FOR when forwarded by Proxy server. While this worked for one of the Dialup providers, it did not work for the another Dialup service provider, as they did not seem to set the HTTP_X_FORWARDED_FOR when forwarded by Proxy.

Can you please suggest a solution for such a situation (i.e., a good check to avoid session hijack for all possible users)? The application is meant mainly for users from Guyana, South America.

Regards,
Stephanas
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
  {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
  }
  else
  {
    $ip = $_SERVER['REMOTE_ADDR'];
  }

Open in new window

0
Comment
Question by:UGDSS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 19

Accepted Solution

by:
NerdsOfTech earned 500 total points
ID: 24092817
Use SESSIONS instead for authentication. ALL of the SERVER VARIABLES you are depending on are vulnerable to HEADER COUNTERFEITING.

0
 
LVL 19

Assisted Solution

by:NerdsOfTech
NerdsOfTech earned 500 total points
ID: 24092826
AND (this is the import stuff here) use BEST METHOD tactics:

Prevention

Methods to prevent session hijacking include:

    * Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
    * Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.
    * Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.
    * Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
    * Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web).
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24092846
The first (long random session IDS) AND the last (ccokie change) seem to be the most effective.
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24092897
If you are geting a lot of hijacks implement SSL on your server and make it mandatory for users.

If so, cookies will be required to avoid certain attacks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article discusses four methods for overlaying images in a container on a web page
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question