How can i protect my session from theft?
Simple test:
- On one machine, I went to the site (https)
- I logged into the same page on a different machine (not logged in)
- I switched the session_id in the header on the second machine - from the first machine
- On the second machine, I get the entire first machine - I am logged in, I can easily view its data, etc.
How to protect the session (and possibly the csrf token) from being stolen?
source to share
- Make sure your session keys are not available. GUID / UUID works fine here (or better, the hash is output from a crypto random number generator).
- Make sure the ID is never passed in plain text (use SSL)
- Update your Session ID frequently (say every 5 minutes).
By doing the above, an attacker would have to intercept the session ID. We also recommend using secure cookies . This will prevent the cookie from being sent for unsafe resources (e.g. loading images / css over HTTP, which does not require authentication)
Optionally, you can try to bind the session to an IP address, but this is not ideal. It cannot defend against an attacker behind the same NAT as the user, and may not authenticate a valid user who has multiple routes to the Internet.
To clarify: you will always be able to see your own session ID. The trick is that no one can see it. This is actually a temporary password. Secure cookies are encrypted on disk by most browsers (reversibly). It is encrypted again for transmission over SSL to the server.
Assuming you are talking to the correct server [a different problem ], the only way an attacker can get your session ID is to either install malware on your computer or break Ssl.
Frequent ID changes mean that an attacker will only have a short window before they get started.
source to share