How to protect session against theft?

Question

Simple test:

1. On one machine I am logged to site (https)
2. I entered to the same page on different machine (not logged in)
3. I switched session_id in header on second machine - from first machine
4. On second machine I get all of first machine - I am logged in, can easily browse its data, etc.

How to protect session (and maybe csrf token) against theft?

Answer 1

• Make sure your session keys are unguessable. a GUID/UUID works ok here (or better, hash the output of a crypto random number generator).
• Make sure the Id is never transmitted in plain text (use SSL)
• Update your session Id frequently (say every 5 minutes or so).

By doing the above, it should be impossible for an attacker to intercept the session id. It's also a good idea to use secure Cookies. This will prevent the cookie being sent for non-secure resources (eg loading images/css via http which doesn't require authentication)

You can optionally try to tie a session to an IP address but that's not a perfect solution. It fails to defend against an attacker behind same NAT as the user, and can fail to authenticate a valid user who has multiple routes to the internet.

To clarify: You will always be able to see your own session id. The trick is making sure nobody else can see it. It's effectively a temporary password. Secure cookies are encrypted on disk by most browsers (reversible). It's encrypted again for transmission over SSL to the server.

Assuming you're talking to the right server [a different issue], the only way an attacker can get your session id is to either install malware on your machine or break Ssl.

Frequent changes to the id mean an attacker will only have a short window before they must start over.