0

So I was doing some tests with the php session ID cookie. I know that data is stored on the server however, a cookie with a unique ID is stored so that the server can recognize the client while browsing. So, what happened is I got the ID of the cookie and opened firefox on a different computer, I edited that phpsession cookie to the id I had on the computer where I logged in... and bam, just as expected, I was logged in.

All I could do to patch was to check that the http user agent and the first three group of numbers (xxx.xxx.xxx.123) of the IP do not change (to avoid the dynamic IP problem). I want to know though if using a permanent HTTPS connection will make the content of the php session ID un-hijackable, like someone getting into my computer, grabing the cookie content, and using it for themselves.

Extra question, I know that security through obscurity is not good but is there a way of changing the cookie name to some acronym like ps or sid?

EDIT: I do not thing this question is a duplicate because on the linked question the process to set this flags and configuration values is not mentioned.

Alex Cavazos
  • 126
  • 3

1 Answers1

1

The cookie is what identifies the session so if it is stealed the session is stealed. What you have to do is to protect the application and the cookie to avoid being hijacked.

  • Use the HttpOnly flag
  • Use HTTPS
  • Use the secure flag
  • Use the correct cache headers
  • Don't use the cookie in the URL
  • Use temporary cookies

In general, you can use the OWASP Testing Guide v4 to protect the whole application and thus protect the cookies.

kinunt
  • 2,759
  • 2
  • 23
  • 30
  • But even if I use https to protect the route between the server and the client, someone can still steal the session if they get the cookie? Even with https? – Alex Cavazos May 06 '14 at 16:53
  • Yes. HTTPS does not protect against using a valid cookie and use an open session. – kinunt May 06 '14 at 17:43
  • Okay, final question.. I have the site here https://host-atom.net/alex/ the homepage marks a yellow warning on the padlock but on other sites, it shows fully green. What could be causing it? EDIT: This is how I am setting the cookies session_set_cookie_params ( 0, '', '', true, true); /* INI Settings */ ini_set('session.cookie_secure', true); ini_set('cookie.name', 'hass'); session_name('hass'); session_start(); – Alex Cavazos May 06 '14 at 17:44