are session safe?

[alexgeek]

Hello, I've heard an awful lot about login systems that use sessions being vulnerable to XSS.
As the user can change sessions, if the session was storing the username/id of the person logged in, could they change it to access other peoples accounts?
if so how can this be fixed? or is there another way besides sessions?
thanks guyssssss

[afmanuk]

You could store a random string in the session aswell as the username and update the database for the user when they log in. Then on every page check that the username and the key thing match... That's what I do anyways

PHP: Select all

$key = substr(md5(rand(0, 1000)), rand(0, 27), 5); 

This is something simple to create a key and there's like 27,000 possibilities
It probably won't take long to go through all 27,000 with a program. But the hacker will have to know how the key is generated. Use you imagination

[alexgeek]

could use salt or something i guess.
could you show me an example of your login script?
is it something like:

PHP: Select all

   $key = substr(md5(rand(0, 1000)), rand(0, 27), 5);
$username = $mysqlquery;
$_SESSION['user'] = $username.$key;
$update = "update set key='$key' where username='$username'"; 

[afmanuk]

Yeah, close.
But instead of

PHP: Select all

$_SESSION['user'] = $username.$key; 

Set them seperately in the session like this...

PHP: Select all

$_SESSION['user'] = $username;
$_SESSION['key'] = $key; 

Then you don't have to seperate the joint strings when checking

[alexgeek]

ahh right thanks

[afmanuk]

No worries, glad to help

[alexgeek]

are there any other methods or things to add to this one?

[afmanuk]

Wow... Appears my way of stopping illegitimate users is just as bad as storing just the username.

Quote:

A problem occurs if someone else gets hold of your session ID. All a malicious user needs to become you is your session ID - if they then send it to the server as if it were their own, the server will assign all your session data to the hacker. Effectively, they will be logged in as you. You want to ensure that the session ID you receive is the same ID as you sent out to the same user, and no one else.

Haha... Oh dear... Read this... There's a bit on session hijacking
http://www.roscripts.com/Security_in...tions-174.html

[nate2099]

apparently storing the users user-agent on log in is a good way as well. (on each page match the user-agent on record with the one sent on the original login. Would take ages to hit a match by brute force!!)

Also regenerating the session id on login.