Hiding Session Id

Collapse
X
Collapse
 
  • Page of 9
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 7 9 template Next
    #16
    <div class='quotetop'>QUOTE (djlee @ Jan 28 2009, 04:11 AM) <{POST_SNAPBACK}></div>
    no if your stored ip and ur current ip is different then the session is deleted, then u need to relogin back in .. upon relogging in the script enters your new ip into the db and that becomes ur stored ip. therefore the hijacker needs ur password to login in order to reset the stored ip .. i really dont see the difficulty ur having in understanding this lol[/b]
    Ok, I got you now.

    I also figured out that session id in the link is not a hacking problem if some codes will be added in it.

    Comment

      #17
      cheers sub yeah it is defi the best way to do sessions

      Comment

        #18
        <div class='quotetop'>QUOTE (djlee @ Jan 28 2009, 01:45 AM) <{POST_SNAPBACK}></div>
        mod rewrite isnt the way forward ... look at what the user gives you to identify themselves .. erm browser ??? ip ??? just to name two .. so why not make those two things part of the authentication process.. if ($currentip != $storedip) then request re-login ... that would solve erm .. 99% of your script kidding session jacking .. the rest of the 1% .. well dont even trying to stop them cause even i can brute force ur ssh port into submission.. so the experts that make up that 1% wouldnt have a problem[/b]
        yes djlee its true but im not afraid of tht kind hackers cuz they are not wannabe and theres no protect from them because u knw nothing is UNHACKABLE...
        sigpiceeeeerrr....

        Comment

          #19
          well thats what i said .. checking for ip changes is simple and will stop 99% of the script kiddies .. the other 1% would have to understand how to get a randomised number from the start of an authenticated packet being sent over a remote network and then be able to spoof that that random key into there own data packets so they appear to come from an authenticated tcp stream already established with someone else (hence identifying as there ip not yours)

          apart from it being over complicated to actually do that, anyone that can do that ... well you really think they&#39;d care about some 2-bit cloned wapsite that gains them nothing by hacking?

          Comment

            #20
            <div class='quotetop'>QUOTE (djlee @ Jan 28 2009, 03:14 PM) <{POST_SNAPBACK}></div>
            well thats what i said .. checking for ip changes is simple and will stop 99% of the script kiddies .. the other 1% would have to understand how to get a randomised number from the start of an authenticated packet being sent over a remote network and then be able to spoof that that random key into there own data packets so they appear to come from an authenticated tcp stream already established with someone else (hence identifying as there ip not yours)

            apart from it being over complicated to actually do that, anyone that can do that ... well you really think they&#39;d care about some 2-bit cloned wapsite that gains them nothing by hacking?[/b]

            most mobile phones on d same network share ips, so what happens when you n i use d same type of phone on d same network, unless u add something else to the authentication process like username, id etc there will b some conflicts

            Comment

              #21
              ok you have username, and password , they are part of the authentication process, the session id defines those two vars, if they dont then ur using a really **** session system anyway (this is why i create my own session systems), as far as shared mobile ip&#39;s thats not a worry, ive never seen a successful session hijack using a mobile as you need some sort of webserver to route data through for a successful xss session hijack. so even without username and id in the session you will most likely be using a computer to hijack a session as why wud u use a mobile if you&#39;ve got a computer . the only benefit of using a mobile is that there is a chance that the hijacked session has a user attached to it with the same ip. the chances in that occurence are slim and just to hijack a session of sum wapsite that are are common as muck i doubt anyone with the knowledge to do this even a script kiddie would give up testing stolen sessions on there own mobile when the chances in the ip being the same are slim

              yes its not foolproof. but the easiest thing would just be to protect your sites from session id&#39;s being stolen in the first place, rather than trying to protect a session after its been stolen. dont over complicate authentication, this wapdesire script is already slow and buggy enough as it is. adding more processes to authentication that are not needed if you just used a few brain cells to actively protect the site in the first place is just bad design.

              Comment

                #22
                I made a code to not enter a user session

                Comment

                  #23
                  The easy way is to Remove sid... use user and password on each page (&amp;user=$user&amp;pass=$pass)...
                  whatmp3.name - search mp3 on mobile

                  Comment

                    #24
                    The most sid are found through download... To prevent sending sid when downloading make a new file : dlfile.php where the sid is not get and from there to make a link : download file... that way the can not be send... The same thing in gallery , when downloading a photo ...
                    whatmp3.name - search mp3 on mobile

                    Comment

                      #25
                      <div class='quotetop'>QUOTE (shad0w @ Feb 7 2009, 11:17 PM) <{POST_SNAPBACK}></div>
                      The easy way is to Remove sid... use user and password on each page (&amp;user=$user&amp;pass=$pass)...[/b]
                      Thats even worse as you are now giving away username and password :P

                      Comment

                        #26
                        No no, no user&pass visible :P
                        One simple solution to hide $sid on lavalair is:

                        1. in login.php
                        put in line 2 after:
                        <?php

                        Code:
                        session_start();
$_SESSION[&#39;sid&#39;]=$sid;
                        2.
                        remove sid=$sid
                        from loginpage, the link to enter in site will be:
                        echo"<a href=\"index.php?action=main\">[ ENTER ]</a>";

                        3.
                        In all pages:
                        Start with index.php
                        remove:
                        Code:
                        $sid = $_GET["sid"];
                        remove
                        sid=$sid from all links

                        and put this in line 2: after <?php
                        Code:
                        session_start();
$_SESSION[&#39;sid&#39;]=$sid;
                        4. to make secure put this
                        Code:
                         if (!empty($sid))
                        from where you want to make sessions acces in your site
                        this is for control if real start you session and to not be atack from distance
                        ex: before if($action=="main")

                        5. to destroy session put this on exit:
                        Code:
                           unset($_SESSION[&#39;sid&#39;]);
   $_SESSION = array();   // reset session array
   session_destroy();     // destroy session.
                        Optionaly, you can create one cookies in login.php
                        Code:
                        setcookie("cooksid", $_SESSION[&#39;sid&#39;], time()+60*60*24*100, "/");
                        to unset cookies:
                        Code:
                        setcookie("cooksid", "", time()-60*60*24*100, "/");
                        But this will be dysplay one error because the headers is already sent, and for not show put this before session_start in index.php
                        Code:
                        ini_set(&#39;error_reporting&#39;, &#39;E_ALL & ~E_NOTICE & ~E_WARNING&#39;);
                        this will be expire after 100 days :D
                        In my site work verry well, but my wap provider Orange, change IP`s after 5-10 mins, in this case session change and have to login again

                        You have any solutions for this? :sad:

                        Comment

                          #27
                          wolf77ar did you know that not all mobile browsers support cookies? ;)
                          www.inbuzunar.mobi - Your mobile portal pocket

                          Comment

                            #28
                            Code:
                            $ipout= getip();
if(detect($ipout,$ubr,$sid))
    {
mysql_query("DELETE FROM ibwf_ses WHERE uid=&#39;".getuid_sid($sid)."&#39;");
mysql_query("DELETE FROM ibwf_online WHERE userid=&#39;".getuid_sid($sid)."&#39;");
mysql_query("DELETE FROM action WHERE cui=&#39;&#39;".getuid_sid($sid)."&#39;");
echo "<img src=\"images/notok.gif\" alt=\"x\"/>    You can log on to other users!
";
$name =  mamebyip($ipout);
 $text = "Ip: $ipout tried to enter the session&#39;s $nick![br/]User suspicious: $name($ubr)";
 $sql = mysql_query("SELECT id, name FROM ibwf_users WHERE perm=&#39;4&#39;");
while ($id = @mysql_fetch_array($sql)){
   mysql_query("INSERT INTO ibwf_private SET text=&#39;[b]suspicios alet[/b][br/]".$text."&#39;, byuid=&#39;4&#39;, touid = &#39;".$id[0]."&#39;, timesent=&#39;".time()."&#39;");
   }
   echo "</p>";
   echo "</card>";
   echo "</wml>";
   exit();
}
  }
else { 
mysql_query("UPDATE ibwf_users SET ipadd=&#39;".$uip."&#39; WHERE id=&#39;".getuid_sid($sid)."&#39;");
}
                            insert it and nobody can get on your session

                            Comment

                              #29
                              Hmmm....
                              Yes is very good your code, but you know well that in our country the most used provider, wap Orange, changing IPs from 5-10 min. In this case the user may be our victim :sad:

                              You know, any time to acces main page mysql UPDATE ibwf_users and SET $uip
                              Is work good only if remove UPDATE from index.php and SET $uip in login.php to keep the IP on the same user session.

                              Comment

                                #30
                                Using ip is a nightmare...

                                What happens some one comes in your server same ip as yours ??

                                so he can login with your name lmao
                                Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
                                Visit: WapMasterz Coming Back Soon!
                                _______
                                SCRIPTS FOR SALE BY SUBZERO
                                Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
                                FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
                                _______
                                Info & Tips
                                php.net
                                w3schools.com

                                Comment

                                Previous 1 2 3 4 5 6 7 9 template Next
                                Working...
                                X