I am new in sessions. I read many articles, and I did not understand something. To hijack a session, does the attacker have to be on the same computer that the开发者_C百科 victim logged in on?
I mean like going in the library and you forget to logout.
Or hijacking can be made without this?
Assuming ...
- The attacker did not compromise either the client or server machine, and
- Is not listening in (either local to the client, or local to the server, or on internet core routers), or the connection is sufficiently encrypted
- The session token is sufficiently random (which you can assume for php's built-in session mechanism)
- Your website has no XSS or XSRF vulnerabilities.
... the only way to hijack a session is indeed physically using the browser the victim used before. You can configure the lifetime of the session with the session.cookie_lifetime
configuration option. The default (0
) advises the browser to invalidate the session as soon as the browser is closed.
It can be made in various ways.
- Hacker can access/put a virus on the victims computer where he finds his session id.
- He can listen to the network traffic to sniff out the cookie.
- It's also possible (especially on shared hosting) to access the directory where session data is stored.
- If you don't filter input data xss attacks are possible.
You can prevent some of the dangers if you encrypt your connection or session cookies and if you store user's ip/browser when he/she logs in and then check if it the request's ip matches.
Sessions are stored on the server and accessed by a Session ID, and thats a browser cookie. All the person would have to do to hijack a session is use a session ID that someone else is using. In other words, change their session cookie to that of someone else's.
精彩评论