2

I have been doing some reading over the past few days on Session IDs and the methods taken to prevent people from intercepting them and using them to hijack a session.

From what I have read, when sending the Session ID in a cookie to the browser SSL/TSL should be used to prevent someone from packet sniffing the Session ID and this cookie should be set to HttpOnly so that it cannot be read by JavaScript.

I personally thought checking that the client IP address from which the Session ID is being received from is constant would be a good additional measure but I have read conflicting arguments online about people saying that proxies and other things may mess with this.

My questions are:

  1. Is SSL/TSL and HttpOnly enough to be sure that a session cannot be hijacked?
  2. Is there a way to use client IP addresses as an extra layer of protection?
  3. Are there any more measures that can be taken to protect a session?
  4. Can we ever be 100% that someone cannot hijack a session?
Anders
  • 64,406
  • 24
  • 178
  • 215
K Martin
  • 31
  • 2
  • This question (or rather questions) are far too broad ! It would require a very detailed and lengthy answer to cover them all in sufficient detail. – Little Code Jun 15 '16 at 08:05
  • Why don't you google them yourself ? – Tilak Madichetti Jun 15 '16 at 09:08
  • @TilakMadichetti Most questions here could be answered by googling, but that is fine. In fact we strive to be the first result when you google! (You are still supposed to do some research before you ask, as the OP did in this case.) – Anders Jun 15 '16 at 10:35
  • @Anders ... all well and good for asking but the OP asked not one but four questions, all of which require excessively detailed answers. – Little Code Jun 15 '16 at 14:05

1 Answers1

6

Is SSL/TSL and HttpOnly enough to be sure that a session cannot be hijacked?

Those are the must dos, and they offer good (but not perfect) protection. See question four.

Is there a way to use client IP addresses as an extra layer of protection?

Just checking that a session ID is used by the IP that created it will break your site for a lot of users, e.g. for mobile users who might not have constant IP:s. (It will also not protect users if the attacker is on the same LAN and share the users IP.) This is not recommended.

What you could consider is using geo location. If a session ID created for a user in Mexico suddenly is used by someone in China five minutes later it might be a sign that something is wrong. On the other hand, this will break things for people using Tor and some VPN:s that rotates IP:s.

Are there any more measures that can be taken to protect a session?

Yes. Make sure that you generate long, random session ID:s with a CSPRNG.

Also, make sure you are not vulnerable to session fixation by not accepting session ID:s you have not generated yourself and/or changing the session ID on login.

Can we ever be 100% that someone cannot hijack a session?

No. You can never be 100% sure about anything regarding security (or anything at all, for that matter). For instance there is no way you can protect your users from someone with physical access to their computer, since that would allow the attacker to just read the session ID from the cookie in the browser.

Anders
  • 64,406
  • 24
  • 178
  • 215