Session hijacking measures

Sep 7, 2020 PHP web security


Recently, I’ve been studying security a lot, so I’d like to write an article about it so that I can teach you in an easy-to-understand manner. This time, I will explain about session hijacking.

#table of contents

  1. What is session hijacking?
  2. Session hijacking type
  3. Session hijacking measures
  4. Finally

#What is session hijacking? First of all, since the Web is made startless, it is not possible to judge that the person who came to this server earlier is Mr. A on an EC site or a site with a login function. To that end, a function called a session was devised. (Actually, a function such as cookie was created first, but the session was developed with security in mind.) Judgment is made by assigning this session ID to Mr. A and this session ID to Mr. B. doing.

If you want to actually see the session ID in PHP, you can check it by displaying it like this.

<? php

session_start ();
echo session_id (); // Session ID is displayed


Session hijacking means that a third party hijacks the information in this session and logs in to the site as the person.

#Session hijacking type There are three main types of session hijacking.

** Session Guess ** ** Session eavesdropping ** ** Session ID fixed attack **

First, session guessing means that a third party guesses the session ID and uses that session ID to access the site that the user was using.

Eavesdropping on a session is the interception and stealing of communications. It is also the use of cyber attacks such as XSS to direct users to sites created by third parties to steal session IDs. For example, if you press this URL on an SNS site, you will be directed to a URL created by a third party. The site is loaded with a vulnerability called XSS, and the session ID of the SNS site is stolen without your knowledge.

The session ID fixed attack is the opposite idea. When a third party tells the user to use this session ID and the user logs in to the site using that session ID, the third party uses that session ID to access the site. You will be able to do it. For example, if you send the SNS URL such as https://[email protected]?PHPSESSIONID=1111 to the user as a parameter of the SNS URL and the user opens the link of this URL, the session ID will be this value. I will. And then use this session ID, and so on.

#Session hijacking measures First, you may not include the session ID in the URL. When exchanging sessions, it is said that the session ID is stored in a cookie and exchanged, hidden is stored and exchanged, and the URL is stored and exchanged, but the first two can be used. If you store it in a URL and exchange it, there is a high possibility that it will be eavesdropped by a third party.

Second, you may not set the session ID to a value that can be guessed. It’s a good idea to use the session management implemented in web application development tools and frameworks.

Finally, make sure you generate a new session ID when you log in. To do that in PHP, do the following:

session_start ();
echo session_id ();
session_regenerate_id; // Generate a new session ID
echo session_id (); // An ID different from the session ID above will be generated

#at the end Recently, the number of people who program often is increasing, and many people are creating sites, but at that time there is a possibility that there are many people who are too conscious of speed and postpone security, so I also care about security. However, let’s keep in mind to make a site.


Session Hijacking-Wikipedia What is session hijacking?