The KGB Oracle
Serving the online gaming community since 1997
Visit www.the-kgb.com
For additional information

Join KGB DISCORD: http://discord.gg/KGB
 
KGB Information
Untitled 1

Visit KGB HQ
www.the-kgb.com

Who's Online Now
0 members (), 86 guests, and 2 robots.
Key: Admin, Global Mod, Mod
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Today's Birthdays
There are no members with birthdays on this day.
Newest Members
Luckystrikes, Shingen, BillNyeCommieSpy, Lamp, AllenGlines
1,477 Registered Users
Forum Statistics
Forums53
Topics13,097
Posts116,365
Members1,477
Most Online276
Aug 3rd, 2023
Top Likes Received (30 Days)
None yet
Top Posters(30 Days)
Sini 1
Popular Topics(Views)
2,192,273 Trump card
1,368,766 Picture Thread
497,400 Romney
Previous Thread
Next Thread
Print Thread
Rate Thread
Page 4 of 4 1 2 3 4
Joined: Mar 2009
Posts: 487
Kay Offline
KGB Alumni
***
Offline
KGB Alumni
***
Joined: Mar 2009
Posts: 487
Originally Posted By: Longshanks
You'd have to be pretty sophisticated to cookie spoof a session from the server ... for a class project, it should fly through with no problem.

Most of the teachers out there can't even tell you where a cookie is located on the file system ... if you really had to lock down a site, I'd definately use an alternative authentication method then PHP & MySQL



True enough.




In Hoc Signo Vinces
Joined: Apr 2009
Posts: 450
KGB Supreme Knight
*****
Offline
KGB Supreme Knight
*****
Joined: Apr 2009
Posts: 450
I use the same technique in the real world if there is a fairly easy way to spoof it I would like to know how. Several I did for work are behind a fairly secure firewall for internal use only (which means thousands could access it) but still somewhat sensitive data that I would like to keep secure. I also use it on a home machine exposed to the internet (http/ssh). It has been up for years without a problem, but I used to get up to hundreds ssh hack attempts on a bad day (mostly Chinese), down to a couple nowadays.

I could change scripting lang and db server type but most likely wouldn’t be more secure. Frankly for me I am in more danger of somebody walking out of my apartment with my servers.

Joined: Nov 2005
Posts: 586
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Offline
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Joined: Nov 2005
Posts: 586
If I remember correctly, been years since i played with PHP ...

$_SESSION marker data is stored in a directory on the server, some /temp by default ... if a user can access that directory, the user can spoof the server by creating a local cookie that equals one of the markers in the server's local directory. This marker is suppose to be automatically deleted when the user ends the session (i.e. closes the browser)

That temp dir can be pointed from the default (which a user can potentially know the default location of) to one you create somewhere else on the file system ... this would make it more difficult to find if a user got access to your file system.

The markers have an obscure random filename .... bSSdwwFfwwf .. or such.

Last edited by Longshanks; 07/01/09 05:52 PM.

[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Joined: Sep 2008
Posts: 102
Ithkrul Offline OP
KGB Champion
*****
OP Offline
KGB Champion
*****
Joined: Sep 2008
Posts: 102
so basically making a semi-permanent duplicate?

Joined: Nov 2005
Posts: 1,876
Likes: 10
KGB Supreme Court Justice
KGB Supreme Knight
****
Offline
KGB Supreme Court Justice
KGB Supreme Knight
****
Joined: Nov 2005
Posts: 1,876
Likes: 10
Longshanks : if someone got access to your system, you have more important things to be afraid of than spoofed cookies.


[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Joined: Nov 2005
Posts: 586
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Offline
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Joined: Nov 2005
Posts: 586
Originally Posted By: Arkh
Longshanks : if someone got access to your system, you have more important things to be afraid of than spoofed cookies.


... which is why i mentioned it takes a pretty sophisticated user to spoof a session.


[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Joined: Nov 2005
Posts: 1,876
Likes: 10
KGB Supreme Court Justice
KGB Supreme Knight
****
Offline
KGB Supreme Court Justice
KGB Supreme Knight
****
Joined: Nov 2005
Posts: 1,876
Likes: 10
But you can either guess the session ID or, the server is setup correctly ride along one (can't remember the exact name) : some server accept parameters like SESSID=blabla to give a session ID if your PC don't accept cookies.
- so, get yourself a session ID, you'll have a page like index.php?SESSIONID=ab8e43c8...
- refresh it like every 5 mn
- give the link to this page to someone who has an account on it
- as you give it with a session ID, the guy has now the same session you have
- wait for him to log in
- sharing the same session, you just hijacked his. It's time to change some password now.

The way to protect from that in php is simple : session_regenerate_id everytime a user log in or out of one of your apps. If you have a special admin page : samething, ask for the password again and regenerate the session ID.


[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Page 4 of 4 1 2 3 4

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.5