Hacking Session Id

i leanred a hard lesson if u dnt share they will come after u and destroy what u gotten happened to me from there on im sharing what i receicved

1. Code a site that users cant hack lol
2. Make sure you dont share to anyone.
3. Code the site! dont be lazy u can do it...
4. Make a big watch 24/7 on your servers...


5. LOL LOL LOL LOL LAVALAIR LOL LOL LOL LOL LOL

Well i hate sid idea i used it i know my site has not being hacked not once at all but i can say.. i coding a new one

completly agree with sub i am coding my own script now i and no that the sessions cant be hijacked lol

Lolz... Session ID hacking in Lavalair use md5 uid and current Time.. Like This eg: $uid="nick"; $tm=time(); $did = $uid.$tm; $sid = md5($did);

and that can be secured very easy...

your write mate, but after chatting to a few so called coders and hosters they know how to exploit something but when i comes down to fixing it on there site or on any site for that matter they dont know how to. for the simple reason they dont know how the exploit works. theres many exploits iv been sent and iv made for lava but i do know how to fix em. why boast about something if you dont know how to fix.

m4ster_v4 i challenge you to tell us how you would fix that. it very simple. but do you know? note that he can ask others so this may not entirely be accurate.

omg! This topic shud be banned. search! SearcH!! SEARCH!!! Its bin posted, discussed, re-discussed, treated, repeated and all. Securing sid is d easiest exploit n it has d easiest solutions. The only problem is laziness, inability to read AND UNDERSTAND simple english (and php) . . .just search, read, ask questions, understand then fix. Nwadays ppl just luk 4 copy paste forgetting that there r so many edits that even copy n paste that used to work perfectly during d ravingwap time cnt work again. Codes dat r copy n paste usually break cuz of undefined functions, syntax error, php versions etc.

Fix It?? Change session id generate style.. Or you can add time()+8 To change standard time.. That may also be hard to hack if you does't tell anyone about that.. Ok. Peace. Keep your sc security secret. That enouge.

nice "solution" haha, y wud sum1 give a hoot how u got d session if he cud jus grab it anyway? O.o
bt if url are so obsessed bout how to generate uniqe sids
$sid = md5(uniqid(rand(),true));
is waay beta.

lol most ppl dnt need to know how ur sessions work to grab them a simple referer logging script can grab them just as easilly and from what ive seen apart from taking out every type external link is to use cookies for session storing

cookies can suck too IF not properly secured or nt supportd by d brwser. Whats ur site, i'l show u how or wot i mean.

My mates site was being constantly hacked by some jamacian guys using session hijacking. At first i was stupped to how they got the passwords for the accounts they were not changing them but logging in then changing them.

So i viewed the server logs they would set an avatar that was on there server.... then as soon as a owner, admin, co-owner, moderater viewed there profile wham they were in there accounts.

The session id was in there access_logs of the cpanel or error_logs depending on if they had set the correct url for there avators. Well how did they get the password? you may ask.... Lavalair scripts uses a wml variable for the password when you login $(logpwd).

if the url of the avator enterd was like so:

IF Someone viewed the profile using the wmlof lavalair the referer now contains that users password.

----------------

The souloution dont link to files from another site, but this would have not been fair on users that host there photos elsewhere and where legally hotlinking these....

So i used GD to resize the image and not directly calling the image from the page with the session id on it..... Still the session id was in the url.... Then the Eureka moment.

GD has support for redirection of images it does not require a direct image link it will follow rediects so i created a file.

thinkyourclever.php
Than i used that as the image address in my image resizer.

It worked the server logs show no referer information except the ip address of the linking server.

I created another cleanref.php


I added www.server.com/cleanref.php?url=url infront of all linkes that are on remote server this included bbcode images and url, vault, spam links, autolink generation.... I dont think i missed many of them.

why not just config yr server not to send headers out? isnt that easier

Added after 5 minutes:

and cookies can be hijackd using cross scripting techniques if u know how....

Update,

Cookies can't be hijacked from my site as for cookie shows but how will u use it thats the answer i need bro

If someone share how to fixed it! topic is done. all users using a lavalir script need it, tell it and share it if how to prevent it! i know all staffs here know how to prevent it! y dont you share it? y dont you tell how to fix it?
staffs need to help a members! if you don't share how to prevent this problem, BEING A STAFFs is USELESS!