1

Is it possible for some hackers (Although it is encrypted in Laravel) to session hijack and pretend themselves as another user for example? How about the simple ones? for example if I put in logged_in session the value of 1 to have some extra capabilities to users, can they create it themselves by cookie manager or some other browsers addons when it is as simple as one number or boolean?

Thanks

kodfire
  • 1,612
  • 3
  • 18
  • 57
  • I'm assuming you mean a cookie session and in that case the thing to worry about is if an attacker manages to get a hold of the cookie. In that case they can impersonate the user. However it's not easy to get a hold of cookies remotely through 3rd party pages. – apokryfos Apr 04 '18 at 13:22
  • I'm just confused. So you mean they can't create a page and steal user's session and copy that in their browser in order to pretend themselves as another user? – kodfire Apr 04 '18 at 13:41
  • The only way to do that is by exploiting browser vulnerabilities which is not easy. However it is also not impossible. The browser will not just hand out cookies that another page set. That violates the cookie spec – apokryfos Apr 04 '18 at 13:48
  • https://tools.ietf.org/html/rfc6265#page-29 is a good read on the security considerations – apokryfos Apr 04 '18 at 13:51
  • You mentioned it is not impossible. Could you please tell me more about possibilities of how they can do that in order to prevent it in my website with Laravel? – kodfire Apr 04 '18 at 13:53
  • Thanks for the link :) – kodfire Apr 04 '18 at 13:54
  • Not sure. I guess the biggest concern is for people running older versions of browsers. For example chrome has https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/opec-1/Google-Chrome.html to list known security flaws which are probably fixed in the latest version. However anyone running an older version will be vulnerable. At some point it's not your responsibility but the user's to protect their cookies. – apokryfos Apr 04 '18 at 13:57
  • OK thank you very much @apokryfos – kodfire Apr 04 '18 at 14:01

1 Answers1

0

For an attacker in order to access your Session he needs to retrieve the cookie of a user.In this case he can pretend he is the specific user into your application.
But it's not that easy . It would be easier to find some user's information by hacking them personally than trying to penetrate laravel's Session.
Still it's possible.But even if he manages to do this laravel you can take extra precautions to make hacker's access by default very restricted .

From the other side that's why apis should be stateless.Because a hacker can have access to the shared Session between client and api pretty easily and penetrates your System's Session

Dionisis K
  • 614
  • 5
  • 17