Archived Boards and Threads... > SMF Feedback and Discussion
Session hijacking prevention?
Arantor:
It actually works? That surprises me, I was under the impression that it didn't. The PHPSESSID cookie does get appended, but the full SMFCookie shouldn't be.
(Note that it does get put into the URL in some cases, like the logout URL, as indicated. I guess I need to go back and look at the code since I think it needs changing.)
xekon:
--- Quote from: Arantor on May 24, 2012, 06:35:03 PM ---Session IDs are not accepted for logged in users when supplied via URL to prevent session fixation. There are not checks against IP address (for the obvious reason) but I believe that there are circumstances where user agent is verified between requests.
--- End quote ---
I have been reading about the different securities in place for various CMS and forum php web apps (smf, drupal, phpbb, mybb) regarding user authentication, and session/cookie security.
I have been reading about them to get a better understanding of good practices for an opensource php web app that I have been writing, primarily as a learning experience.
phpBB has "Session IP validation:" options in the Security settings. where you can match against part of or the entire IP address.
I would really like to know the reason there are not checks against IP address, it was not obvious to me, but I am still learning.
The other phpbb security checks were: "Validate X_FORWARDED_FOR header", "Validate Referer:",
and "validate browser" which is what I think you said smf does with the "user agent".
and mybb has this option:
"Do you want to check a user's IP address for HTTP_X_FORWARDED_FOR or HTTP_X_REAL_IP headers? If you're unsure, set this to no."
Arantor:
--- Quote ---phpBB has "Session IP validation:" options in the Security settings. where you can match against part of or the entire IP address.
--- End quote ---
That can be viable if, and only if, you know the session will not bounce between too many IP addresses. There are still networks out there that will bounce users between very wide ranges of IP addresses, which means this could break things for users.
--- Quote ---The other phpbb security checks were: "Validate X_FORWARDED_FOR header", "Validate Referer:",
--- End quote ---
SMF does things with X-Forwarded-For (see below). Checking the referer is not necessarily wise since not every browser submits a referer (especially internet security software and proxies that strip the header) but if it is supplied, it should not be changing between requests. SMF will do some limited checks against this.
--- Quote ---and mybb has this option:
"Do you want to check a user's IP address for HTTP_X_FORWARDED_FOR or HTTP_X_REAL_IP headers? If you're unsure, set this to no."
--- End quote ---
SMF already checks HTTP_X_FORWARDED_FOR and if you ban any IP addresses, it will apply the ban to both the 'IP address' and the 'X-Forwarded-For' IP address that a user has.
As for what X-Forwarded-For and X-Real-IP are, these are where there is a proxy between the user and the server, through whatever means (maybe it's a server proxy like CloudFlare) and the IP address that the user presents is actually the proxy's IP address, so the proxy adds the actual user's IP address to a header when it gets to the application.
xekon:
Excellent! Thank you so much for the reply :)
Navigation
[0] Message Index
[*] Previous page
Go to full version