Solved

Problem with IP address check (for avoiding session hijack)

Posted on 2009-04-07
5
832 Views
Last Modified: 2013-12-12
Hi,

I am working on a PHP application that uses authentication / session / cookies. The login pages use HTTPS, whereas others use the plain HTTP.

As a part of strengthening the server security against session hijack, we used the REMOTE_ADDR check.

While this worked well when the application is used through DSL Internet connection, it started to fail when used via Dial-up.

Upon investigation, we found that the IP address assigned to the client computer did not change on every request. The problem was that the Dial up provider connected to the Internet using a proxy server (for plain HTTP pages), but connected directly to the server for HTTPS. Hence, the REMOTE_ADDR for login page (HTTPS) was the client computer's assigned IP address, but for the subsequent pages the REMOTE_ADDR was the address of the proxy server.

We tried using the quoted code to check for the HTTP_X_FORWARDED_FOR when forwarded by Proxy server. While this worked for one of the Dialup providers, it did not work for the another Dialup service provider, as they did not seem to set the HTTP_X_FORWARDED_FOR when forwarded by Proxy.

Can you please suggest a solution for such a situation (i.e., a good check to avoid session hijack for all possible users)? The application is meant mainly for users from Guyana, South America.

Regards,
Stephanas
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

  {

    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

  }

  else

  {

    $ip = $_SERVER['REMOTE_ADDR'];

  }

Open in new window

0
Comment
Question by:UGDSS
  • 4
5 Comments
 
LVL 19

Accepted Solution

by:
NerdsOfTech earned 500 total points
ID: 24092817
Use SESSIONS instead for authentication. ALL of the SERVER VARIABLES you are depending on are vulnerable to HEADER COUNTERFEITING.

0
 
LVL 19

Assisted Solution

by:NerdsOfTech
NerdsOfTech earned 500 total points
ID: 24092826
AND (this is the import stuff here) use BEST METHOD tactics:

Prevention

Methods to prevent session hijacking include:

    * Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
    * Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in.
    * Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack.
    * Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
    * Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web).
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24092846
The first (long random session IDS) AND the last (ccokie change) seem to be the most effective.
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24092897
If you are geting a lot of hijacks implement SSL on your server and make it mandatory for users.

If so, cookies will be required to avoid certain attacks.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

New Relic: Our company recently started researching several products to figure out what were the best ways for us to increase our web page speed and to quickly identify performance problems that we may be having. One of the products we evaluated wa…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now