22-Nov-14

TOC
Intro

ATTACKING

Cookies
Sessions

SESSION
MANAGEMENT

Cookies

vs Sessions
Hijacking
Securing Session Management
Session

INTRODUCTION

HTTP is a stateless protocol - a simple request

response model

no mechanism for linking together the series of

requests made by one particular user and
distinguishing these from all of the other requests
received by the web server

COOKIES

def: a small amount of information sent by a server to a

browser, and then sent back by the browser on future
page requests

cookies have many uses:

a)

authentication

b)

user tracking

c)

maintaining user preferences, shopping carts, etc.

a cookie's data consists of a single name/value pair,

sent in the header of the client's HTTP GET or POST
request

Web Programming Step by Step, 2nd edition

22-Nov-14

HOW COOKIES ARE SENT (1)

MYTH VS FACT (2)

browser requests a Web page

myths:

a)

cookies are a form of spyware and can steal your

personal information

b)

cookies generate popups and spam

c)

cookies are only used for advertising

server sends page+cookie

browser requests another page

when the browser requests a page, the server

may send back a cookie(s) with it
if your server has previously sent any cookies to
the browser, the browser will send them back on
subsequent requests

Web Programming Step by Step, 2nd edition

facts:

a)

cookies are only data, not program code

b)

cookies cannot erase or read information from the

user's computer

c)

cookies CAN be used to track your viewing habits on a6

particular site

Web Programming Step by Step, 2nd edition

SESSION VS PERSISTENT

A "TRACKING COOKIE"(3)

COOKIES

an advertising company can put a cookie on your

machine when you visit one site, and see it when you
visit another site that also uses that advertising
company

a) when

the browser is closed, temporary cookies will be

erased

b) can

therefore they can tell that the same person (you)

visited both sites

c)

Web Programming Step by Step, 2nd edition

(4)

Session cookie (default) ; a temporary cookie that is stored

only in the browser's memory

not be used for tracking long-term information

safer, because no programs other than the browser can

access them

Persistent cookie : one that is stored in a file on the

browser's computer

a)

can track long-term information

b)

potentially less secure, because users (or programs they

run) can open cookie files, see/change the cookie values,
etc.

Web Programming Step by Step, 2nd edition

22-Nov-14

SETTING A COOKIE IN PHP (5)

setcookie("name", "value");

setcookie("username", "martay");

SESSIONS

setcookie("favoritecolor", "blue");

setcookie causes your script to send a cookie to the

user's browser

setcookie must be called before any output statements

(HTML blocks, print, or echo)

you can set multiple cookies (20-50) per user, each up

to 3-4K bytes

session: represent a series of HTTP requests and

responses between a specific Web browser and server

HTTP doesn't support the notion of a session, but

PHP does

sessions vs. cookies

1)

a cookie is data stored on the client; a session's data is

stored on the server (only 1 session per client)

2)

cookies serve as both a temporary and long-term

information holder whereas sessions serve as
temporary information holder

Web Programming Step by Step, 2nd edition

10

Web Programming Step by Step, 2nd edition

SESSIONS

SESSIONS

sessions are often built on top of cookies:

the only data the client stores is a cookie holding a

unique session ID

on each page request, the client sends its session ID

cookie, and the server uses this to find and retrieve
the client's session data

applications that do not have a login function also

typically need to use sessions

the simplest and still most common means of

implementing sessions is to issue each user with a
unique session token or identifier

the most obvious use of sessions is in applications that

support logging in

11

12

The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws

22-Nov-14

HOW SESSIONS ARE ESTABLISHED (1)

SESSIONS IN PHP: SESSION_START (2)

<?php
session_start();
if(!$_SESSION["isLoggedIn"]==1){

header("Location: login1.php");
}
?>

13

14

Web Programming Step by Step, 2nd edition

SESSIONS IN PHP: SESSION_START (2)

session_start signifies your script wants a session with

the user

ACCESSING SESSION DATA (3)

$_SESSION["name"] = value;
$variable = $_SESSION["name"];

must be called at the top of your script, before any

HTML output is produced

# store session data

# read session data

if (isset($_SESSION["name"])) { # check for session data

when you call session_start:

if the server hasn't seen this user before, a new

session is created

otherwise, existing session data is loaded into

$_SESSION associative array

you can store data in $_SESSION and retrieve it on

future pages

Web Programming Step by Step, 2nd edition

15

16

Web Programming Step by Step, 2nd edition

22-Nov-14

WHERE IS SESSION DATA STORED? (4)

on the client, the session ID is stored as a cookie with

the name PHPSESSID

on the server, session data are stored as temporary

files such as /tmp/sess_fcc17f071...

you can find out (or change) the folder where session
data is saved using the session_save_path function

for very large applications, session data can be stored

into a SQL database (or other destination) instead
using the session_set_save_handler function

BROWSERS THAT DON'T SUPPORT COOKIES(5)

if a client's browser doesn't support cookies, it can still

send a session ID as a query string parameter named
PHPSESSID

this is done automatically; session_start detects

whether the browser supports cookies and chooses
the right method

if necessary (such as to build a URL for a link on the

page), the server can find out the client's session ID by
calling the session_id function

17

Web Programming Step by Step, 2nd edition

18

Web Programming Step by Step, 2nd edition

LOGOUT.PHP

SESSION TIMEOUT (6)

because HTTP is stateless, it is hard for the server to know

when a user has finished a session

ideally, user explicitly logs out, but many users don't

client deletes session cookies when browser closes

server automatically cleans up old sessions after a period of

time

old session data consumes resources and may present a

security risk

adjustable in PHP server settings or with

session_cache_expire function

you can explicitly delete a session by calling

session_destroy

Web Programming Step by Step, 2nd edition

<?php
session_start();
session_destroy();
echo To Login Click <a href='login1.php'>Here</a>;
?>
===

<?php
session_start();
session_destroy();
19

header("Location: login1.php");
?>

20

Web Programming Step by Step, 2nd edition

22-Nov-14

COOKIES VS SESSIONS
1)

SESSIONS HIJACKING

Read this article

an attackers primary objective is to somehow hijack

the session of a legitimate user and thereby
masquerade as them

if the user has been authenticated to the application,

the attacker may be able to access private data or carry
out unauthorized actions

if the user is unauthenticated, the attacker may still be

able to view sensitive information submitted by the
user during her session

21

22

http://www.phpshare.org/articles/Cookies-versus-Sessions

SESSIONS HIJACKING

GENERATION OF SESSION TOKENS

the vulnerabilities that exist in session management

mechanisms largely fall into two categories:

some session tokens are created using the users

username or email address

(1)

a)

Weaknesses in the generation of session tokens.

b)

Weaknesses in the handling of session tokens

throughout their lifecycle.

this information may be encoded in some way, and may

be combined with other data.

for example,
757365723d6461663b6170703d61646d696e3b64617465
3d30312f31322f3036

however, it contains only hexadecimal characters and

through a decoder would reveal:

23

user=daf;app=admin;date=10/09/07

24

22-Nov-14

GENERATION OF SESSION TOKENS

(1)

attackers can exploit this session token to attempt to guess

the current sessions of other application users

using a list of common usernames, they can quickly

generate large numbers of potentially valid tokens and test
these to confirm which are valid

components that may be encountered within structured

tokens include:
The account username
The numeric identifier used by the application to
distinguish between accounts
The users first/last human name
The users email address
A date/time stamp
The client IP address

a)
b)

c)
d)
e)
f)

a)

b)

Proper termination of sessions is important for two

reasons.
First, reduces the window of opportunity within which
an attacker may capture, guess, or misuse a valid
session token
Second, it encourage users to invalidating an existing
session when they no longer require it, thereby to take
some responsibility for securing their session in a
shared computing environment
The main weaknesses in session termination functions
27
involve failures to meet these two key objectives

Disclosure of Tokens on the Network

this vulnerability arises when the session token is
transmitted across the network in unencrypted form,
enabling a suitably positioned eavesdropper to obtain
the token and so masquerade as the legitimate user
Disclosure of Tokens in Logs

the most common place where tokens are simply

disclosed to unauthorized view is in system logs of
various kinds

many applications provide functionality for admin to

monitor and control aspects of the applications
runtime state, including user sessions

25

VULNERABLE SESSION TERMINATION (3)

SESSION TOKEN HANDLING (2)

26

SECURING SESSION MANAGEMENT

a)

Generate Strong Tokens

The most effective token generation mechanisms are

those that:

i.

use an extremely large set of possible values, and

ii.

contain a strong source of pseudo-randomness,

ensuring an even and

iii.

unpredictable spread of tokens across the range of

possible values.
java.util.Random
28

22-Nov-14

SECURING SESSION
MANAGEMENT
b)

Protect Tokens throughout Their Lifecycle

i.

Logout functionality should be implemented. This

should dispose of all session resources held on the
server and invalidate the session token.

ii.

Session expiration should be implemented after a

suitable period of inactivity (e.g., 10 minutes).

iii.

Concurrent logins should be prevented. Each time a

user logs in, a different session token should be
issued, and any existing session belonging to the user
should be disposed of as if she had logged out from it.
29