Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to protect session against theft?

Tags:

django

django-middleware

Simple test:

  1. On one machine I am logged to site (https)
  2. I entered to the same page on different machine (not logged in)
  3. I switched session_id in header on second machine - from first machine
  4. On second machine I get all of first machine - I am logged in, can easily browse its data, etc.

How to protect session (and maybe csrf token) against theft?

like image 663
Nips Avatar asked Aug 15 '14 18:08

Nips

People also ask

How can session hijacking be prevented?

Some of the most common ways to prevent session hijacking attacks are: Share session IDs with only trusted sources. Remember that session id may be included when sharing links or sending requests to websites. Using a VPN prevents attackers from intercepting traffic, making stealing session IDs more difficult.

What is the best defense against session hijacking?

The best defense against session hijacking is to force secure, encrypted communications over TLS/SSL. This is also sometimes called "HTTPS". Cookies will still be sent with every request but their contents will not be visible because the entire communication will be encrypted while in transit.

How do hackers steal session cookies?

Session side jacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many websites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated.

What are five methods of session hijacking?

The session hijack attack is broken down into five steps including locating a target, finding an active session, sequence number prediction, taking a user offline, and taking over a session.

1 Answers

  • Make sure your session keys are unguessable. a GUID/UUID works ok here (or better, hash the output of a crypto random number generator).
  • Make sure the Id is never transmitted in plain text (use SSL)
  • Update your session Id frequently (say every 5 minutes or so).

By doing the above, it should be impossible for an attacker to intercept the session id. It's also a good idea to use secure Cookies. This will prevent the cookie being sent for non-secure resources (eg loading images/css via http which doesn't require authentication)

You can optionally try to tie a session to an IP address but that's not a perfect solution. It fails to defend against an attacker behind same NAT as the user, and can fail to authenticate a valid user who has multiple routes to the internet.

To clarify: You will always be able to see your own session id. The trick is making sure nobody else can see it. It's effectively a temporary password. Secure cookies are encrypted on disk by most browsers (reversible). It's encrypted again for transmission over SSL to the server.

Assuming you're talking to the right server [a different issue], the only way an attacker can get your session id is to either install malware on your machine or break Ssl.

Frequent changes to the id mean an attacker will only have a short window before they must start over.

like image 172
Basic Avatar answered Oct 11 '22 17:10

Basic
Sign in to Comment

Related questions

How to change Submit button text from a view in crispy-forms?
Get reverse URL name from full path
Log django database queries using logging
Celery will refuse to accept pickle by default, should I disable it?
Django admin site action not working after adding an intermediate Form
Deploying Django/Python 3.4 to Heroku
Django Templates Development vs. Production
Difference between "load static from staticfiles" and "django.core.context_processors.static" in Django
django models: Good way of storing a multiline line address as one model field
Can't install Django - Cannot fetch index base URL https://pypi.python.org/simple/
Django ModelForm not saving data
Mandrill Editable Template: mc:edit link href
django admin fieldsets - adding fields of related models
Django: Saving form with User as Foreign key
Locale on django and uwsgi UnicodeEncodeError
Django. Python social auth. create profiles at the end of pipeline
Why doesn't self.object in a CreateView have an id after saving to the database?
what is ugettext and ugettext_lazy and why to use them in django?
Django: CSRF token missing or incorrect
Django: formats of urlpatterns in urls.py

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!