Home Backend Development PHP Tutorial Complete explanation of PHP vulnerabilities (7)-Session hijacking

Complete explanation of PHP vulnerabilities (7)-Session hijacking

Dec 22, 2016 am 09:41 AM

The server and client communicate through sessions. When the client's browser connects to the server, the server will establish a session for the user. Each user's session is independent and maintained by the server. Each user's session is identified by a unique string, called a session id. When a user makes a request, the http header sent contains the value of session id. The server uses the session id in the http header to identify which user submitted the request.

Session saves the personal data of each user. General web applications will use session to save authenticated user accounts and passwords. When converting different web pages, if you need to verify the user's identity, use the account number and password saved in the session to compare. The life cycle of the session starts when the user connects to the server and ends when the user closes the browser or logs out when the session_destroy function deletes the session data. If the user does not use the computer within 20 minutes, the session will automatically end.

PHP application architecture for processing sessions

Complete explanation of PHP vulnerabilities (7)-Session hijacking

Session hijacking

Session hijacking refers to the attacker using various means to obtain the session id of the target user. Once the session ID is obtained, the attacker can use the target user's identity to log in to the website and obtain the target user's operation permissions.

Methods for attackers to obtain the target user’s session ID:

1) Brute force cracking: try various session IDs until they are cracked.

2) Calculation: If the session id is generated in a non-random way, it is possible to calculate it

3) Stealing: Use network interception, xss attacks and other methods to obtain

Session hijacking attack steps

Complete explanation of PHP vulnerabilities (7)-Session hijacking

Instances

//login.php 		
			
			
session_start(); 				
if (isset($_POST["login"])) 					
{ 				
$link = mysql_connect("localhost", "root", "root") 							
or die("无法建立MySQL数据库连接:" . mysql_error()); 								
mysql_select_db("cms") or die("无法选择MySQL数据库"); 									
if (!get_magic_quotes_gpc()) 										
{ 											
$query = "select * from member where username=’" . addslashes($_POST["username"]) . 												
"’ and password=’" . addslashes($_POST["password"]) . "’"; 													
} 														
else 															
{ 																
$query = "select * from member where username=’" . $_POST["username"] . 																	
"’ and password=’" . $_POST["password"] . "’"; 																		
} 																			
$result = mysql_query($query) 	
	
or die("执行MySQL查询语句失败:" . mysql_error()); 																					
$match_count = mysql_num_rows($result); 																						
if ($match_count) 																							
{ 										
$_SESSION["book"] = 1; 																											
mysql_close($link); 																									
header("Location: http://localhost/index.php?user=" . $_POST["username"]); 																															
}	
…..
	// 打开Session 																																				
		
			
	访客的 Session ID 是:echo session_id(); ?> 																																						
																							
																					
																	
															
																					
															
Copy after login

Complete explanation of PHP vulnerabilities (7)-Session hijacking

After logging in, it will show

Complete explanation of PHP vulnerabilities (7)-Session hijacking

Start attacking




//attack.php
php
//Open Session
session_start();
echo "Session of the target user" The ID is: ". session_id() . "
";
echo "The username of the target user is:" . $_SESSION["username"] . "
";
echo "The password of the target user is: " . $_SESSION["password"] . "
";
// Set the number of books to 2000
$_SESSION["book"] = 2000;
?>


Submit http://localhost/attack.php?PHPSESSID=5a6kqe7cufhstuhcmhgr9nsg45 This ID is the obtained customer session id. After refreshing the customer page

Complete explanation of PHP vulnerabilities (7)-Session hijacking

session fixed attack

Hackers can use the method of sending the session id to the user to Complete the attack

http://localhost/index.php?user=dodo&PHPSESSID=1234 Send this link to the user dodo for display

Complete explanation of PHP vulnerabilities (7)-Session hijacking


Then the attacker visits http://localhost/attack.php ?PHPSESSID=1234, the customer page refreshed and found


Complete explanation of PHP vulnerabilities (7)-Session hijacking

Prevention methods

1) Regularly change the session id

Function bool session_regenerate_id([bool delete_old_session])

delete_old_session If true, the old session file will be deleted; if it is false, the old session will be retained. The default is false. Optional

Add


session_start();

session_regenerate_id(TRUE);

...

This way a new session id will be generated every time it is reloaded

2) Changes The name of the session

The default name of the session is PHPSESSID. This variable will be saved in the cookie. If the hacker does not capture the packet and analyze it, he cannot guess the name and block some attacks


session_start();

session_name( "mysessionid");

......

3) Turn off transparent session id

Transparent session id means that when the http request in the browser does not use cookies to formulate the session id, the sessioin id is passed using a link; open php .ini, edit

session.use_trans_sid = 0

In the code


int_set("session.use_trans_sid", 0);

session_start();

...

4) Only check the session from the cookie id

session.use_cookies = 1 means using cookies to store session id

session.use_only_cookies = 1 means only using cookies to store session id, which can avoid session fixation attacks

In the code

int_set("session.use_cookies", 1 );

int_set("session.use_only_cookies", 1); p>

5) Use URL to pass hidden parameters


session_start();

$seid = md5(uniqid(rand()), TRUE ));

$_SESSION["seid"] = $seid;

Although the attacker can obtain the session data, he cannot know the value of $seid. As long as he checks the value of seid, he can confirm whether the current page is a web program. Called by yourself.

The above is the complete solution to PHP vulnerabilities (7) - Session hijacking. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!


Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

11 Best PHP URL Shortener Scripts (Free and Premium) 11 Best PHP URL Shortener Scripts (Free and Premium) Mar 03, 2025 am 10:49 AM

Long URLs, often cluttered with keywords and tracking parameters, can deter visitors. A URL shortening script offers a solution, creating concise links ideal for social media and other platforms. These scripts are valuable for individual websites a

Introduction to the Instagram API Introduction to the Instagram API Mar 02, 2025 am 09:32 AM

Following its high-profile acquisition by Facebook in 2012, Instagram adopted two sets of APIs for third-party use. These are the Instagram Graph API and the Instagram Basic Display API.As a developer building an app that requires information from a

Working with Flash Session Data in Laravel Working with Flash Session Data in Laravel Mar 12, 2025 pm 05:08 PM

Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-

Build a React App With a Laravel Back End: Part 2, React Build a React App With a Laravel Back End: Part 2, React Mar 04, 2025 am 09:33 AM

This is the second and final part of the series on building a React application with a Laravel back-end. In the first part of the series, we created a RESTful API using Laravel for a basic product-listing application. In this tutorial, we will be dev

Simplified HTTP Response Mocking in Laravel Tests Simplified HTTP Response Mocking in Laravel Tests Mar 12, 2025 pm 05:09 PM

Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>

cURL in PHP: How to Use the PHP cURL Extension in REST APIs cURL in PHP: How to Use the PHP cURL Extension in REST APIs Mar 14, 2025 am 11:42 AM

The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.

12 Best PHP Chat Scripts on CodeCanyon 12 Best PHP Chat Scripts on CodeCanyon Mar 13, 2025 pm 12:08 PM

Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom

Announcement of 2025 PHP Situation Survey Announcement of 2025 PHP Situation Survey Mar 03, 2025 pm 04:20 PM

The 2025 PHP Landscape Survey investigates current PHP development trends. It explores framework usage, deployment methods, and challenges, aiming to provide insights for developers and businesses. The survey anticipates growth in modern PHP versio

See all articles