The KGB Oracle Forums The KGB Great Hall of History (ARCHIVE) Darkfall Members Forum Question about MySql, need help

True enough.

I use the same technique in the real world if there is a fairly easy way to spoof it I would like to know how. Several I did for work are behind a fairly secure firewall for internal use only (which means thousands could access it) but still somewhat sensitive data that I would like to keep secure. I also use it on a home machine exposed to the internet (http/ssh). It has been up for years without a problem, but I used to get up to hundreds ssh hack attempts on a bad day (mostly Chinese), down to a couple nowadays.

I could change scripting lang and db server type but most likely wouldn’t be more secure. Frankly for me I am in more danger of somebody walking out of my apartment with my servers.

If I remember correctly, been years since i played with PHP ...

$_SESSION marker data is stored in a directory on the server, some /temp by default ... if a user can access that directory, the user can spoof the server by creating a local cookie that equals one of the markers in the server's local directory. This marker is suppose to be automatically deleted when the user ends the session (i.e. closes the browser)

That temp dir can be pointed from the default (which a user can potentially know the default location of) to one you create somewhere else on the file system ... this would make it more difficult to find if a user got access to your file system.

The markers have an obscure random filename .... bSSdwwFfwwf .. or such.

so basically making a semi-permanent duplicate?

Longshanks : if someone got access to your system, you have more important things to be afraid of than spoofed cookies.

... which is why i mentioned it takes a pretty sophisticated user to spoof a session.

But you can either guess the session ID or, the server is setup correctly ride along one (can't remember the exact name) : some server accept parameters like SESSID=blabla to give a session ID if your PC don't accept cookies.
- so, get yourself a session ID, you'll have a page like index.php?SESSIONID=ab8e43c8...
- refresh it like every 5 mn
- give the link to this page to someone who has an account on it
- as you give it with a session ID, the guy has now the same session you have
- wait for him to log in
- sharing the same session, you just hijacked his. It's time to change some password now.

The way to protect from that in php is simple : session_regenerate_id everytime a user log in or out of one of your apps. If you have a special admin page : samething, ask for the password again and regenerate the session ID.