Upload
hafiz-safwan
View
212
Download
0
Embed Size (px)
Citation preview
8/9/2019 L6_Session and Cookies Management_stu
1/8
22-Nov-
A TTACKING
SESSION
MANAGEMENT 1
TOC
Intro
Cookies
Sessions
Cookies vs Sessions
Session Hijacking
Securing Session Management
2
INTRODUCTION
HTTP is a stateless protocol - a simple request
response model
no mechanism for linking together the series of
requests made by one particular user and
distinguishing these from all of the other requests
received by the web server
3
COOKIES
def: a small amount of information sent by a server to a
browser, and then sent back by the browser on future
page requests
cookies have many uses:
a) authentication
b) user tracking
c) maintaining user preferences, shopping carts, etc.
a cookie's data consists of a single name/value pair,
sent in the header of the client's HTTP GET or POST
request4
Web Programming Step by Step, 2nd edition
8/9/2019 L6_Session and Cookies Management_stu
2/8
22-Nov-
HOW COOKIES ARE SENT (1)
5
Web Programming Step by Step, 2nd edition
browser requests a Web page
when the browser requests a page, the server
may send back a cookie(s) with it
if your server has previously sent any cookies to
the browser, the browser will send them back on
subsequent requests
server sends page+cookie
browser requests another page
M YTH VS FACT (2) myths:
a) cookies are a form of spyware and can steal your
personal information
b) cookies generate popups and spam
c) cookies are only used for advertising
facts:
a) cookies are only data, not program code
b) cookies cannot erase or read information from the
user's computer
c) cookies CAN be used to track your viewing habits on a
particular site
6
Web Programming Step by Step, 2nd edition
A "TRACKING COOKIE"(3)
an advertising company can put a cookie on your
machine when you visit one site, and see it when you
visit another site that also uses that advertising
company
therefore they can tell that the same person (you)
visited both sites
7
Web Programming Step by Step, 2nd edition
SESSION VS PERSISTENT
COOKIES (4) Session cookie (default) ; a temporary cookie that is stored
only in the browser's memory
a) when the browser is closed, temporary cookies will be
erased
b) can not be used for tracking long-term information
c) safer, because no programs other than the browser can
access them
Persistent cookie : one that is stored in a file on thebrowser's computer
a) can track long-term information
b) potentially less secure, because users (or programs they
run) can open cookie files, see/change the cookie values,
etc.
8
Web Programming Step by Step, 2nd edition
8/9/2019 L6_Session and Cookies Management_stu
3/8
22-Nov-
SETTING A COOKIE IN PHP (5) setcookie("name", "value");
setcookie("username", "martay");
setcookie("favoritecolor", "blue");
setcookie causes your script to send a cookie to the
user's browser
setcookie must be called before any output statements
(HTML blocks, print, or echo)
you can set multiple cookies (20-50) per user, each up
to 3-4K bytes
9
Web Programming Step by Step, 2nd edition
SESSIONS session: represent a series of HTTP requests and
responses between a specific Web browser and server
HTTP doesn't support the notion of a session, but
PHP does
sessions vs. cookies
1) a cookie is data stored on the client; a session's data is
stored on the server (only 1 session per client)
2) cookies serve as both a temporary and long-term
information holder whereas sessions serve as
temporary information holder
10
Web Programming Step by Step, 2nd edition
SESSIONS
sessions are often built on top of cookies:
the only data the client stores is a cookie holding a
unique session ID
on each page request, the client sends its session ID
cookie, and the server uses this to find and retrieve
the client's session data
the most obvious use of sessions is in applications thatsupport logging in
11
The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws
SESSIONS
applications that do not have a login function also
typically need to use sessions
the simplest and still most common means of
implementing sessions is to issue each user with a
unique session token or identifier
12
8/9/2019 L6_Session and Cookies Management_stu
4/8
22-Nov-
13
HOW SESSIONS ARE ESTABLISHED (1) SESSIONS IN PHP: SESSION _ START (2)
14
Web Programming Step by Step, 2nd edition
SESSIONS IN PHP: SESSION _ START (2)
session_start signifies your script wants a session with
the user
must be called at the top of your script, before any
HTML output is produced
when you call session_start:
if the server hasn't seen this user before, a new
session is created otherwise, existing session data is loaded into
$_SESSION associative array
you can store data in $_SESSION and retrieve it on
future pages15
Web Programming Step by Step, 2nd edition
A CCESSING SESSION DATA (3)
$_SESSION["name"] = value; # store session data
$variable = $_SESSION["name"]; # read session data
if (isset($_SESSION["name"])) { # check for session data
16
Web Programming Step by Step, 2nd edition
8/9/2019 L6_Session and Cookies Management_stu
5/8
22-Nov-
WHERE IS SESSION DATA STORED? (4)
on the client, the session ID is stored as a cookie with
the name PHPSESSID
on the server, session data are stored as temporary
files such as /tmp/sess_fcc17f071...
you can find out (or change) the folder where session
data is saved using the session_save_path function
for very large applications, session data can be stored
into a SQL database (or other destination) instead
using the session_set_save_handler function
17
Web Programming Step by Step, 2nd edition
BROWSERS THAT DON'T SUPPORT COOKIES(5)
if a client's browser doesn't support cookies, it can still
send a session ID as a query string parameter named
PHPSESSID
this is done automatically; session_start detects
whether the browser supports cookies and chooses
the right method
if necessary (such as to build a URL for a link on the
page), the server can find out the client's session ID by
calling the session_id function
18
Web Programming Step by Step, 2nd edition
SESSION TIMEOUT (6)
because HTTP is stateless, it is hard for the server to know
when a user has finished a session
ideally, user explicitly logs out, but many users don't
client deletes session cookies when browser closes
server automatically cleans up old sessions after a period of
time
old session data consumes resources and may present a
security risk
adjustable in PHP server settings or with
session_cache_expire function
you can explicitly delete a session by calling
session_destroy19
Web Programming Step by Step, 2nd edition
LOGOUT.PHP
===
20
Web Programming Step by Step, 2nd edition
8/9/2019 L6_Session and Cookies Management_stu
6/8
22-Nov-
COOKIES VS SESSIONS 1) Read this article
21
http://www.phpshare.org/articles/Cookies-versus-Sessions
SESSIONS HIJACKING an attacker’s primary objective is to somehow hijack
the session of a legitimate user and thereby
masquerade as them
if the user has been authenticated to the application,
the attacker may be able to access private data or carry
out unauthorized actions
if the user is unauthenticated, the attacker may still be
able to view sensitive information submitted by the
user during her session
22
SESSIONS HIJACKING
the vulnerabilities that exist in session management
mechanisms largely fall into two categories:
a) Weaknesses in the generation of session tokens.
b) Weaknesses in the handling of session tokens
throughout their lifecycle.
23
GENERATION OF SESSION TOKENS (1)
some session tokens are created using the user’s
username or email address
this information may be encoded in some way, and may
be combined with other data.
for example,
757365723d6461663b6170703d61646d696e3b64617465
3d30312f31322f3036 however, it contains only hexadecimal characters and
through a decoder would reveal:
user=daf;app=admin;date=10/09/0724
http://www.phpshare.org/articles/Cookies-versus-Sessionshttp://www.phpshare.org/articles/Cookies-versus-Sessions
8/9/2019 L6_Session and Cookies Management_stu
7/8
22-Nov-
GENERATION OF SESSION TOKENS (1) attackers can exploit this session token to attempt to guess
the current sessions of other application users
using a list of common usernames, they can quickly
generate large numbers of potentially valid tokens and testthese to confirm which are valid
components that may be encountered within structuredtokens include:
a) The account username
b) The numeric identifier used by the application to
distinguish between accounts
c) The user’s first/last human name
d) The user’s email address
e) A date/time stamp
f) The client IP address
25
SESSION TOKEN H ANDLING (2)a) Disclosure of Tokens on the Network
this vulnerability arises when the session token is
transmitted across the network in unencrypted form,
enabling a suitably positioned eavesdropper to obtain
the token and so masquerade as the legitimate user
b) Disclosure of Tokens in Logs
the most common place where tokens are simply
disclosed to unauthorized view is in system logs of
various kinds
many applications provide functionality for admin to
monitor and control aspects of the application’s
runtime state, including user sessions26
VULNERABLE SESSION TERMINATION (3)
Proper termination of sessions is important for two
reasons.
First, reduces the window of opportunity within which
an attacker may capture, guess, or misuse a valid
session token
Second, it encourage users to invalidating an existing
session when they no longer require it, thereby to takesome responsibility for securing their session in a
shared computing environment
The main weaknesses in session termination functions
involve failures to meet these two key objectives 27
SECURING SESSION M ANAGEMENT
a) Generate Strong Tokens
The most effective token generation mechanisms are
those that:
i. use an extremely large set of possible values, and
ii. contain a strong source of pseudo-randomness,
ensuring an even and
iii. unpredictable spread of tokens across the range of
possible values.
java.util.Random
28
8/9/2019 L6_Session and Cookies Management_stu
8/8
22-Nov-
SECURING SESSION
M ANAGEMENT b) Protect Tokens throughout Their Lifecycle
i. Logout functionality should be implemented. This
should dispose of all session resources held on the
server and invalidate the session token.
ii. Session expiration should be implemented after a
suitable period of inactivity (e.g., 10 minutes).
iii. Concurrent logins should be prevented. Each time a
user logs in, a different session token should be
issued, and any existing session belonging to the user
should be disposed of as if she had logged out from it.29