Session hijacking buggggggggg

[saeedvz]

Hi. why laravel doesn't prevent session hijacking....?!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[saeedvz]

i injected generated session in another browser cookie and booooooooooooom i logged in...!!!!!!

[reshadman]

@saeedvaziry This is the standard behavior, you can perform periodic session id regeneration, but this may cause unexpected behavior on concurrent requests, So the best idea would be using HTTPS to prevent man in the middle attacks which may increase the probability of session hijacking.

[saeedvz]

is there any way to prevent this?

[crynobone]

is there any way to prevent this?

@reshadman already give you a way "So the best idea would be using HTTPS to prevent man in the middle attacks"

[kamui545]

So the best idea would be using HTTPS to prevent man in the middle attacks which may increase the probability of session hijacking.

+1 this and avoid XSS issues in your website.

You could also check in a middleware to ensure the user agent is still the same but it is not bulletproof and I would not recommend doing that either as it can have side effects.

[saeedvz]

@crynobone @reshadman HTTPS is not 100% secure...! if you have a powerful server , you can decrypt it...!

[kamui545]

Nothing is 100% secure...

[saeedvz]

@kamui545 sure...

[armababy]

There is no reliable way of doing this, ip and user-agent can be forged. Best you can do is on your own application, ask for re-entering of password after certain time passed since last activity, regenerate session after significant actions (change password, update details etc.) and invalidate previous one.

[tschallacka]

For those who wat a tad bit more security for session hijacking:

function setStrictCookie($name, $value='', $maxage=0, $path='', $domain='', $secure=false, $HTTPOnly=false, $strictMode=null) 
    {  
        $ob = ini_get('output_buffering'); 

        // Abort the method if headers have already been sent, except when output buffering has been enabled 
        if ( headers_sent() && (bool) $ob === false || strtolower($ob) == 'off' ) { 
            return false; 
        }

        if ( !empty($domain) ) 
        { 
            // Fix the domain to accept domains with and without 'www.'. 
            if ( strtolower( substr($domain, 0, 4) ) == 'www.' ) {
                $domain = substr($domain, 4); 
            }
            // Add the dot prefix to ensure compatibility with subdomains 
            if ( substr($domain, 0, 1) != '.' ) {
                $domain = '.'.$domain;  
            }

            // Remove port information. 
            $port = strpos($domain, ':'); 

            if ( $port !== false ) {
                $domain = substr($domain, 0, $port); 
            }
        } 

        // Prevent "headers already sent" error with utf8 support (BOM) 
        //if ( utf8_support ) header('Content-Type: text/html; charset=utf-8'); 

        header('Set-Cookie: '.rawurlencode($name).'='.rawurlencode($value)  
                                    .(empty($domain) ? '' : '; Domain='.$domain) 
                                    .(empty($maxage) ? '' : '; Max-Age='.$maxage) 
                                    .(empty($path) ? '' : '; Path='.$path) 
                                    .(!$secure ? '' : '; Secure') 
                                    .(!$HTTPOnly ? '' : '; HttpOnly')
                                    .(is_null($strictMode) ? '': '; SameSite='.$strictMode)
                                    , false); 
        return true; 
    } 

and then set the session cookie with

$cookie = new Cookie(
        session()->getName(),
        session()->getId(),
        time() + (7 * 24 * 60 * 60),// 7 days
        '/',
        $domain, // your domain
        false // http secure
        );

setStrictCookie(
        $cookie->getName(), // get the name
        $cookie->getValue(), // get the value
        $cookie->getExpiresTime(), // get the expire time
        $cookie->getPath(), // the cookie path
        $cookie->getDomain(), // the cookie domain
        true, // only serve cookie when on https(recommended. get free https certificate at https://letsencrypt.org/)
        true, // http only flag to protect against session hijacking via xss
        'lax' // only send cookie when the url in address bar actually changes.
        );
Session::start();

How you implement it in your setup is up to you, but this is a nice robust way to safeguard your session cookie.

[GrahamCampbell]

HTTPS is not vulnerable to this, provided you set the correct header security.

[GrahamCampbell]

prevent Session hijacking I use HTTPS;

You also need to set the cookie to be "secure" and "http-only".

[GrahamCampbell]

Yes, I know that; but when I logout, this old cookie session, can be used to login...

That's not a security problem though, actually, since nobody can access that.

NB If you're using a session driver such as redis, they will actually be garbage collected for you, after they expire.