How feasible is it to brute force sessions?
I'm currently using CodeIgniter database sessions, which does not utilize native PHP sessions - session cookie encryption and user agent matching is turned on.
Say I set the session expiration to 4 months, would somebody be able to brute force their way through session ids? Not just to take over sessions but also mass deleting things off accounts, cause general mayhem, etc (CI's CSRF protection is turned on)
I'd like to give most users a long lasting session id where anonymous users are given most of the functionality of a registered user, like favorite things - similar to StackOverflow.
A shorter session identifier leaves the application open to brute-force session guessing attacks. If an attacker can guess an authenticated user's session identifier, they can take over the user's session.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
Definition of brute-force : relying on or achieved through the application of force, effort, or power in usually large amounts instead of more efficient, carefully planned, or precisely directed methods …
While some attackers still perform brute force attacks manually, today almost all brute force attacks today are performed by bots. Attackers have lists of commonly used credentials, or real user credentials, obtained via security breaches or the dark web.
There are three primary techniques for hijacking sessions: Brute Force – the attacker tries multiple IDs until successful. Calculate – in many cases, IDs are generated in a non-random manner and can be calculated. Steal – using different types of techniques, the attacker can acquire the Session ID.
Codeigniter Sessions DO NOT utilize naitive php sessions (whether database or otherwise), as such you can turn on session encryption using the encryption key provided in your config.php
file which will help with your security concerns...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With