2

I am pretty new to Web Development and I read about CSRF, XSS, and Session Hijacking. One proposed solution is to simply use a nonce to check the validity of requests. I wrote this script in PHP to prevent session hijacking. I think it is similar in spirit to regenerating the session ID, in that identifiers, or their combination (session ID and the nonce) are changed at every request.

if(!isset($_SESSION["user"]["nonce"]) || 
   $_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
    $nonce = md5(uniqid());
    $_SESSION["user"]["nonce"] = $nonce
    setcookie("SITE_nonce", $nonce, 0, "/path");
}
else
    die("Invalid Request");

Is this enough? I really do not know if I can afford SSL, and I know that it would be a good solution to session highjacks, but I am hoping for some insight to this approach. Am I missing something?

Rolando Cruz
  • 2,834
  • 1
  • 16
  • 24

1 Answers1

0

This is really a common problem - discussed many times before. I suggest you visit security pages such as http://owasp.com/index.php/Main_Page for a bunch of very good guides.

As for your implementation: you can also store some sort of hash that you generate first time person comes gets a session and an IP. Also I guess a good time out on cookie.

Luke
  • 1,872
  • 20
  • 31
  • Thanks for the link. I started to skim at some pages and I saw that my implementation fits under Page Tokens! If it would be too much, I really don't understand what you meant in your 2nd paragraph pertaining to a hash (I got the part about cookies but not the former). – Rolando Cruz Aug 24 '11 at 07:10
  • @Rolando Cruz What I do is md5(IP, username and secret pass phase) and I store it under "hash" field for that specific user. So when someone is coming back (with a cookie) I compare those hashes and if don't match. I then log it, kick them out and possibly keep them out for a few minutes. – Luke Aug 24 '11 at 07:23
  • Ahh. I see. I thought you were pertaining to the very first time the user visits the site. In that case I think I'll also be adding the value of `HTTP_USER_AGENT` into the hash. Thanks! – Rolando Cruz Aug 24 '11 at 07:35