Answer the question
In order to leave comments, you need to log in
D
D
Dmitry Onatsky2016-04-09 23:00:13
Dmitry Onatsky, 2016-04-09 23:00:13
Session protection from theft?
Dear users, tell me how you can protect the session from theft (substitution) as much as possible?
At the moment I use:
1. Encryption of the SHA512 session
2. Binding to the md5 hash of the IP + USER_AGENT bundle, and each time I check for compliance.
3. Dynamic session identifier. With each request to the server, a new session is created while retaining the data from the previous one. Thus, even if an attacker steals cookies, changes IP and USER_AGENT, then there is a chance that he will not have time to log in. Provided that after the theft of the session, the user made at least one request.
What else can be added or vice versa removed? Thanks in advance! :)
3 answer(s)
@Zamzy
@copist
@petermzg
D
DevMan, 2016-04-09 @Zamzy
ssl
httponly cookie
https://en.wikipedia.org/wiki/Session_hijacking#Pr...
P
Pavel Volintsev, 2016-04-10 @copist
Usually cookies store a session ID with a key like PHPSESSID
But you can make the cookie name itself less predictable, for example md5(service-id)
P
Peter, 2016-04-10 @petermzg
https - connection
And here IP + USER_AGENT, you create a problem for users from cellular networks, since their IP address can change.
Encrypting the session key is meaningless, because it's just data that can be copied.
A dynamic token will help detect concurrent work, but will not protect against hijacking by 100%
Similar questions
H
P
V
N
C
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question