Re: [Sessions] Why are they more secure?

Greetings, Gilles Ganault.
In reply to Your message dated Tuesday, March 11, 2008, 01:31:06,

> If I'm correct, a session is a unique ID that's generated for each new
> session and saved as a cookie, as a way to identify a user, and keep
> data on the server, either in RAM or in a database.

> However, unless HTTPS is used the whole time, someone can see the
> session ID being sent back and forth between the client and the
> server, and bypass the login/password step by simply creating a cookie
> with the same name and value in his browser.

> Did I miss something in the way session ID's work?

You've missed the point that every sane developer does not believe in session
ID itself, but insted he/she use the SessionID+$_SERVER['REMOTE_ADDRESS']
combination.
And whenever the second one changed, either reset session or discard cookie
sent.


--
Sincerely Yours, AnrDaemon

Re: [Sessions] Why are they more secure?

AnrDaemon wrote:
> Greetings, Gilles Ganault.
> In reply to Your message dated Tuesday, March 11, 2008, 01:31:06,
>
>> If I'm correct, a session is a unique ID that's generated for each new
>> session and saved as a cookie, as a way to identify a user, and keep
>> data on the server, either in RAM or in a database.
>
>> However, unless HTTPS is used the whole time, someone can see the
>> session ID being sent back and forth between the client and the
>> server, and bypass the login/password step by simply creating a cookie
>> with the same name and value in his browser.
>
>> Did I miss something in the way session ID's work?
>
> You've missed the point that every sane developer does not believe in session
> ID itself, but insted he/she use the SessionID+$_SERVER['REMOTE_ADDRESS']
> combination.
> And whenever the second one changed, either reset session or discard cookie
> sent.
>
>

Wrong! $_SERVER['REMOTE_ADDRESS'] is completely insecure. Many
companies have proxies, and anyone going through their proxy will have
the same remote address.

Also, large companies (like AOL) have multiple proxies, and every
request may come from a different IP address.

This is not only insecure, it locks out people who should be able to
access your site.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Why are they more secure?

On Mar 31, 9:04 am, AnrDaemon wrote:
>
> every sane developer does not believe in session ID itself, but insted
> he/she use the SessionID+$_SERVER['REMOTE_ADDRESS'] combination.
> And whenever the second one changed, either reset session or discard
> cookie sent.

This is the recipe for trouble with AOL users, whose IP addresses may
change sporadically. Not to mention the fact that IP address is
fairly
easy to spoof...

Cheers,
NC

Re: [Sessions] Why are they more secure?

Greetings, Jerry Stuckle.
In reply to Your message dated Monday, March 31, 2008, 21:28:52,

> AnrDaemon wrote:
>> Greetings, Gilles Ganault.
>> In reply to Your message dated Tuesday, March 11, 2008, 01:31:06,
>>
>>> If I'm correct, a session is a unique ID that's generated for each new
>>> session and saved as a cookie, as a way to identify a user, and keep
>>> data on the server, either in RAM or in a database.
>>
>>> However, unless HTTPS is used the whole time, someone can see the
>>> session ID being sent back and forth between the client and the
>>> server, and bypass the login/password step by simply creating a cookie
>>> with the same name and value in his browser.
>>
>>> Did I miss something in the way session ID's work?
>>
>> You've missed the point that every sane developer does not believe in session
>> ID itself, but insted he/she use the SessionID+$_SERVER['REMOTE_ADDRESS']
>> combination.
>> And whenever the second one changed, either reset session or discard cookie
>> sent.
>>
>>

> Wrong! $_SERVER['REMOTE_ADDRESS'] is completely insecure. Many
> companies have proxies, and anyone going through their proxy will have
> the same remote address.

That's the matter of inner security of their networks. Not Your (as developer)
problem. In fact, You can't uncover the truth in such case.
If Your data so sensitive, then You must use HTTPS transport. No way.

> Also, large companies (like AOL) have multiple proxies, and every
> request may come from a different IP address.

Never saw such case and I think in real world it will not happens. Once You
start Your sesion, You're stuck to one given proxy, and until You reboot Your
PC or in other way disconnect from network, You're working through one same
proxy.

> This is not only insecure, it locks out people who should be able to
> access your site.

As I said, I have never saw such occasion in real practice (excluding some
hacking attempts which I have uncovered yesterday by looking at the some very
old logs... hehe).
If You can provide me a testcase or other real-world example, I want to see
it.


--
Sincerely Yours, AnrDaemon

Re: Why are they more secure?

Greetings, NC.
In reply to Your message dated Monday, March 31, 2008, 22:27:18,

>> every sane developer does not believe in session ID itself, but insted
>> he/she use the SessionID+$_SERVER['REMOTE_ADDRESS'] combination.
>> And whenever the second one changed, either reset session or discard
>> cookie sent.

> This is the recipe for trouble with AOL users, whose IP addresses may
> change sporadically.

Bad for them, if it is true. And there is always a chance for normal ISP with
sane routing schemes.

> Not to mention the fact that IP address is fairly easy to spoof...

It is a bit off-topic here as it is a matter of lower-level network conflict
resolution. At application level, You have little chance to detect such
attacks, if they passed through network layer.

In closing, if Your data THAT sensitive (or You're that paranoidal), use
HTTPS.


--
Sincerely Yours, AnrDaemon

Re: [Sessions] Why are they more secure?

AnrDaemon wrote:
> Greetings, Jerry Stuckle.
> In reply to Your message dated Monday, March 31, 2008, 21:28:52,
>
>> AnrDaemon wrote:
>>> Greetings, Gilles Ganault.
>>> In reply to Your message dated Tuesday, March 11, 2008, 01:31:06,
>>>
>>>> If I'm correct, a session is a unique ID that's generated for each new
>>>> session and saved as a cookie, as a way to identify a user, and keep
>>>> data on the server, either in RAM or in a database.
>>>> However, unless HTTPS is used the whole time, someone can see the
>>>> session ID being sent back and forth between the client and the
>>>> server, and bypass the login/password step by simply creating a cookie
>>>> with the same name and value in his browser.
>>>> Did I miss something in the way session ID's work?
>>> You've missed the point that every sane developer does not believe in session
>>> ID itself, but insted he/she use the SessionID+$_SERVER['REMOTE_ADDRESS']
>>> combination.
>>> And whenever the second one changed, either reset session or discard cookie
>>> sent.
>>>
>>>
>
>> Wrong! $_SERVER['REMOTE_ADDRESS'] is completely insecure. Many
>> companies have proxies, and anyone going through their proxy will have
>> the same remote address.
>
> That's the matter of inner security of their networks. Not Your (as developer)
> problem. In fact, You can't uncover the truth in such case.
> If Your data so sensitive, then You must use HTTPS transport. No way.
>

Nope. It's how life works. I'm just pointing out the fallacies in your
"suggestion". It doesn't work.

>> Also, large companies (like AOL) have multiple proxies, and every
>> request may come from a different IP address.
>
> Never saw such case and I think in real world it will not happens. Once You
> start Your sesion, You're stuck to one given proxy, and until You reboot Your
> PC or in other way disconnect from network, You're working through one same
> proxy.
>

It does happen. I can name a few - AOL, Intel, IBM, Microsoft... shall
I continue?

You really need to learn how round-robin proxies work.

>> This is not only insecure, it locks out people who should be able to
>> access your site.
>
> As I said, I have never saw such occasion in real practice (excluding some
> hacking attempts which I have uncovered yesterday by looking at the some very
> old logs... hehe).
> If You can provide me a testcase or other real-world example, I want to see
> it.
>
>

I have. Get someone on one of those round-robin proxies to hit your
website multiple times and watch the IP address. You will see it can
change at any time.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================