Hi Guys,

Ive been doing some research on session fixation..

From what I understand...

If a hacker logs into my site ( getting a session ID ) and then somehow gets a user to visit my site with his PHPSESSID .. They will then login and they "both" be able to do the same thing.. IE: the hacker will now have their access level..

Im trying to stop this ( Albeit a small problem ).

Currently WHENEVER anyone auths or changes "permission levels"

I do this:

Code:

<?php
session_start(); // Start the Session
session_destroy(); // Destroy it..
session_start(); // Start a new one.
session_regenerate_id();  // regen the ID.
?>

Now,
With this im assuming that this can stop any kind of fixation hack?

The hacker will have one ID, Then if they try and get a user to use their ID.
It will fail because a new session with a new ID has been forced?


Am I thinking about this right?

Ive read a lot of documents and as far as I can tell, This would fix my issue. ( albeit a tiny issue )

Any thoughts?

I doubt you'll need to destroy and recreate the session. Just generating a new ID should suffice. And yes, that should make it impossible for a hacker to make a fixation attack.

Cool, TY.

Thought it might be the case.
At least it makes it that bit harder.

There is a good method to use to help prevent session hijacking is by using tokens. A token is a random unique string that is generated for each page request. Here is how it works:

1. Generate a new token and save it to the session:
$_SESSION['token'] = uniqid();

2. If the current page is a form page, pass the current token as a hidden form value:
<input type="hidden" name="token" value="<?php echo $token; ?>" />

3. When the user submits the form data, compare the $_POST['token'] with the session saved token (before a new one is generated and overwritten).

This will help keep sensitive tasks between the user and session.

Ahh thats an idea.
I wondered why "tokens" appear on sites.. I suppose its for this..