Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sessions brute forcing

How feasible is it to brute force sessions?

I'm currently using CodeIgniter database sessions, which does not utilize native PHP sessions - session cookie encryption and user agent matching is turned on.

Say I set the session expiration to 4 months, would somebody be able to brute force their way through session ids? Not just to take over sessions but also mass deleting things off accounts, cause general mayhem, etc (CI's CSRF protection is turned on)

I'd like to give most users a long lasting session id where anonymous users are given most of the functionality of a registered user, like favorite things - similar to StackOverflow.

like image 209
R72 Avatar asked Aug 15 '11 20:08

R72


People also ask

Can session id be brute forced?

A shorter session identifier leaves the application open to brute-force session guessing attacks. If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

What is a session hijacking attack?

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

What is meant by brute forcing?

Definition of brute-force : relying on or achieved through the application of force, effort, or power in usually large amounts instead of more efficient, carefully planned, or precisely directed methods …

Do hackers still use brute force?

While some attackers still perform brute force attacks manually, today almost all brute force attacks today are performed by bots. Attackers have lists of commonly used credentials, or real user credentials, obtained via security breaches or the dark web.

What are the methods of session hijacking?

There are three primary techniques for hijacking sessions: Brute Force – the attacker tries multiple IDs until successful. Calculate – in many cases, IDs are generated in a non-random manner and can be calculated. Steal – using different types of techniques, the attacker can acquire the Session ID.


1 Answers

Codeigniter Sessions DO NOT utilize naitive php sessions (whether database or otherwise), as such you can turn on session encryption using the encryption key provided in your config.php file which will help with your security concerns...

like image 133
jondavidjohn Avatar answered Oct 23 '22 12:10

jondavidjohn