L6_Session and Cookies Management_stu

8/9/2019 L6_Session and Cookies Management_stu

1/8

22-Nov-

A TTACKING

SESSION

MANAGEMENT 1

TOC

Intro

Cookies

Sessions

Cookies vs Sessions

Session Hijacking

Securing Session Management

2

INTRODUCTION

HTTP is a stateless protocol - a simple request

response model

no mechanism for linking together the series of

requests made by one particular user and

distinguishing these from all of the other requests

received by the web server

3

COOKIES

def: a small amount of information sent by a server to a

browser, and then sent back by the browser on future

page requests

cookies have many uses:

a) authentication

b) user tracking

c) maintaining user preferences, shopping carts, etc.

a cookie's data consists of a single name/value pair,

sent in the header of the client's HTTP GET or POST

request4

Web Programming Step by Step, 2nd edition


2/8

22-Nov-

HOW COOKIES ARE SENT (1)

5


browser requests a Web page

when the browser requests a page, the server

may send back a cookie(s) with it

if your server has previously sent any cookies to

the browser, the browser will send them back on

subsequent requests

server sends page+cookie

browser requests another page

M YTH VS FACT (2) myths:

a) cookies are a form of spyware and can steal your

personal information

b) cookies generate popups and spam

c) cookies are only used for advertising

facts:

a) cookies are only data, not program code

b) cookies cannot erase or read information from the

user's computer

c) cookies CAN be used to track your viewing habits on a

particular site

6


A "TRACKING COOKIE"(3)

an advertising company can put a cookie on your

machine when you visit one site, and see it when you

visit another site that also uses that advertising

company

therefore they can tell that the same person (you)

visited both sites

7


SESSION VS PERSISTENT

COOKIES (4) Session cookie (default) ; a temporary cookie that is stored

only in the browser's memory

a) when the browser is closed, temporary cookies will be

erased

b) can not be used for tracking long-term information

c) safer, because no programs other than the browser can

access them

Persistent cookie : one that is stored in a file on thebrowser's computer

a) can track long-term information

b) potentially less secure, because users (or programs they

run) can open cookie files, see/change the cookie values,

etc.

8



3/8

22-Nov-

SETTING A COOKIE IN PHP (5) setcookie("name", "value");

setcookie("username", "martay");

setcookie("favoritecolor", "blue");

setcookie causes your script to send a cookie to the

user's browser

setcookie must be called before any output statements

(HTML blocks, print, or echo)

you can set multiple cookies (20-50) per user, each up

to 3-4K bytes

9


SESSIONS session: represent a series of HTTP requests and

responses between a specific Web browser and server

HTTP doesn't support the notion of a session, but

PHP does

sessions vs. cookies

1) a cookie is data stored on the client; a session's data is

stored on the server (only 1 session per client)

2) cookies serve as both a temporary and long-term

information holder whereas sessions serve as

temporary information holder

10


SESSIONS

sessions are often built on top of cookies:

the only data the client stores is a cookie holding a

unique session ID

on each page request, the client sends its session ID

cookie, and the server uses this to find and retrieve

the client's session data

the most obvious use of sessions is in applications thatsupport logging in

11

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

SESSIONS

applications that do not have a login function also

typically need to use sessions

the simplest and still most common means of

implementing sessions is to issue each user with a

unique session token or identifier

12


4/8

22-Nov-

13

HOW SESSIONS ARE ESTABLISHED (1) SESSIONS IN PHP: SESSION _ START (2)

14


SESSIONS IN PHP: SESSION _ START (2)

session_start signifies your script wants a session with

the user

must be called at the top of your script, before any

HTML output is produced

when you call session_start:

if the server hasn't seen this user before, a new

session is created otherwise, existing session data is loaded into

$_SESSION associative array

you can store data in $_SESSION and retrieve it on

future pages15


A CCESSING SESSION DATA (3)

$_SESSION["name"] = value; # store session data

$variable = $_SESSION["name"]; # read session data

if (isset($_SESSION["name"])) { # check for session data

16



5/8

22-Nov-

WHERE IS SESSION DATA STORED? (4)

on the client, the session ID is stored as a cookie with

the name PHPSESSID

on the server, session data are stored as temporary

files such as /tmp/sess_fcc17f071...

you can find out (or change) the folder where session

data is saved using the session_save_path function

for very large applications, session data can be stored

into a SQL database (or other destination) instead

using the session_set_save_handler function

17


BROWSERS THAT DON'T SUPPORT COOKIES(5)

if a client's browser doesn't support cookies, it can still

send a session ID as a query string parameter named

PHPSESSID

this is done automatically; session_start detects

whether the browser supports cookies and chooses

the right method

if necessary (such as to build a URL for a link on the

page), the server can find out the client's session ID by

calling the session_id function

18


SESSION TIMEOUT (6)

because HTTP is stateless, it is hard for the server to know

when a user has finished a session

ideally, user explicitly logs out, but many users don't

client deletes session cookies when browser closes

server automatically cleans up old sessions after a period of

time

old session data consumes resources and may present a

security risk

adjustable in PHP server settings or with

session_cache_expire function

you can explicitly delete a session by calling

session_destroy19


LOGOUT.PHP

===

20



6/8

22-Nov-

COOKIES VS SESSIONS 1) Read this article

21

http://www.phpshare.org/articles/Cookies-versus-Sessions

SESSIONS HIJACKING an attacker’s primary objective is to somehow hijack

the session of a legitimate user and thereby

masquerade as them

if the user has been authenticated to the application,

the attacker may be able to access private data or carry

out unauthorized actions

if the user is unauthenticated, the attacker may still be

able to view sensitive information submitted by the

user during her session

22

SESSIONS HIJACKING

the vulnerabilities that exist in session management

mechanisms largely fall into two categories:

a) Weaknesses in the generation of session tokens.

b) Weaknesses in the handling of session tokens

throughout their lifecycle.

23

GENERATION OF SESSION TOKENS (1)

some session tokens are created using the user’s

username or email address

this information may be encoded in some way, and may

be combined with other data.

for example,

757365723d6461663b6170703d61646d696e3b64617465

3d30312f31322f3036 however, it contains only hexadecimal characters and

through a decoder would reveal:

user=daf;app=admin;date=10/09/0724

http://www.phpshare.org/articles/Cookies-versus-Sessionshttp://www.phpshare.org/articles/Cookies-versus-Sessions


7/8

22-Nov-

GENERATION OF SESSION TOKENS (1) attackers can exploit this session token to attempt to guess

the current sessions of other application users

using a list of common usernames, they can quickly

generate large numbers of potentially valid tokens and testthese to confirm which are valid

components that may be encountered within structuredtokens include:

a) The account username

b) The numeric identifier used by the application to

distinguish between accounts

c) The user’s first/last human name

d) The user’s email address

e) A date/time stamp

f) The client IP address

25

SESSION TOKEN H ANDLING (2)a) Disclosure of Tokens on the Network

this vulnerability arises when the session token is

transmitted across the network in unencrypted form,

enabling a suitably positioned eavesdropper to obtain

the token and so masquerade as the legitimate user

b) Disclosure of Tokens in Logs

the most common place where tokens are simply

disclosed to unauthorized view is in system logs of

various kinds

many applications provide functionality for admin to

monitor and control aspects of the application’s

runtime state, including user sessions26

VULNERABLE SESSION TERMINATION (3)

Proper termination of sessions is important for two

reasons.

First, reduces the window of opportunity within which

an attacker may capture, guess, or misuse a valid

session token

Second, it encourage users to invalidating an existing

session when they no longer require it, thereby to takesome responsibility for securing their session in a

shared computing environment

The main weaknesses in session termination functions

involve failures to meet these two key objectives 27

SECURING SESSION M ANAGEMENT

a) Generate Strong Tokens

The most effective token generation mechanisms are

those that:

i. use an extremely large set of possible values, and

ii. contain a strong source of pseudo-randomness,

ensuring an even and

iii. unpredictable spread of tokens across the range of

possible values.

java.util.Random

28


8/8

22-Nov-

SECURING SESSION

M ANAGEMENT b) Protect Tokens throughout Their Lifecycle

i. Logout functionality should be implemented. This

should dispose of all session resources held on the

server and invalidate the session token.

ii. Session expiration should be implemented after a

suitable period of inactivity (e.g., 10 minutes).

iii. Concurrent logins should be prevented. Each time a

user logs in, a different session token should be

issued, and any existing session belonging to the user

should be disposed of as if she had logged out from it.29

Documents

L6_Session and Cookies Management_stu