I wrote a PHP class which handles Session and store them in DB instead of normal Files in the server, you can find it on My Session Handler Class
In that post a user by name @AnotherGuy has raised some security concern/flaws about my Session Fingerprinting methods
, which seems valid to me, and I am quoting him below :
Now to the last thing I will talk about. As said in the start I am no security expert, but I feel like your fingerprint solution is fishy. Imagine two different people from the same company using your site. The company uses a load balancer, which makes their IP address the same. If all company's browsers/clients are the same your fingerprint for these two people would be identical. Even though you are checking HTTP_X_FORWARDED_FOR headers you cannot rely on load balancers to send the header. I cannot tell you how to properly detect sessions using the fingerprint idea.
He was referring to the functions getFingerPrint()
& _isSuspicious($fp)
/**
* [_getFingerPrint generates session fingerprints md5(USER AGENT + SECURE SESSION + IP ADDRESS)]
* @return [strings] [encryted session info fingerprint]
*/
private function _getFingerPrint()
{
return md5($this->_user_agent.self::SECURE_SESSION . $this->_ip_address);
}
/**
* [_isSuspicious check for possible session hijack attempt, by comaparing encrypted user system specific values against exoisting records ]
* @param [string] $fp [session fingerprint]
* @return boolean
*/
private function _isSuspicious($fp)
{
return ($fp != $this->_getFingerPrint()) ? True : False;
}
I am using getFingerPrint()
to generate a session hash using user agent + salt + ip address, and _isSuspicious()
to check the fingerprint generated again against the fingerprint stored in Database.Well it seems to address security risk upto same extent, but when users are in Local Network(LAN etc) and also use same browser agents they seems to br viable to the security risk of session hijacking
.
Also I am using the below function to get user's IP address,
/**
* [_getRealIpAddr Get the IP address of the user]
* @return [strings] [IP address of the client]
*/
private function _getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP']))
{
/*check ip from share internet*/
$ip = $_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
/*to check ip is pass from proxy*/
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Now how can I make make this session hashing more robust when users share same network pool.
The first solution comes to my mind is adding a COOKIE
(random salt/number etc) to the hashing which will be particular to user specific system and in spite of having same User agent & ip address two users will have different Local Cookies. Anyone has any other better solution/options or completely different way to handle this situation ?
Edit 2 : What about using EVERCOOKIE [ but what if javascript is disabled ? ] !