What is session hijacking?

Question

I have a question about using a php user class and session variables. Let's say that I have managed to create a user class that finds a particular person from the database query.

As I move about the site from page to page it would be nice to be able to use the current user inside the user class without needing to re – look them up in the database multiple times

Q: so is there a way to combine the current active user in the class with session variables so that they can be used multiple times? If so, how would this work?

Answer 1

Session hijacking well known by TCP session hijacking, a security attack on a user session over a protected network.

The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users.
This type of attack is possible because authentication typically is only done at the start of a TCP session.

Another type of session hijacking is known as a man-in-the-middle attack, where the attacker, using a sniffer, can observe the communication strong text between devices and collect the data that is transmitted.

Answer 2

As this query is tagged as PHP so assuming that you are talking about PHP session hijacking.

Session hijacking is a term that is used to describe a method for obtaining a user's PHPSESSID. When a user logs into a PHP application, the browser will store a hash string value like'525cc0036c99f013bd17b7b91233fae4'. The same hash string matches the stored session on the server. There are several ways the user can get your sessions; such as sniffing it out on a shared network with software like 'Wireshark'. Another method is to just get the id from a public computer and manually recreate it in another browser. The whole idea here is that if the browser PHPSESSID and the server session id will match, any user can make the website believe that you are authenticated.

As a programmer, there are several safeguards you could use to your scripts to ensure that the PHPSESSID in your browser is not so usable elswhere. You can set a session variable as your ipaddress with $_SERVER[‘REMOTE_ADDR’]. For example, $_SESSION[ip_address'] = $_SERVER[‘REMOTE_ADDR’]. Now, you can run the following code to make sure the session IP is the same as the computer ip address. (though text is copied but we follow the exact model at QueryHome)

if($_SERVER[‘REMOTE_ADDR’] != $_SESSION[ip_address'] ){
die();
}

Credit: http://lampload.com/PHP-Session-Hijacking.html

Answer 3

Session hijacking is the misuse of a valid computer session. It is used to attain unauthorized and illegal access to a system. This access is attained using the “brute force” attack where in someone tries multiple id’s to login in a system while the session is in progress. The most common method of session hijacking is IP spoofing where an attacker uses source-routed IP packets to insert commands into an active communication between two systems on a network and pretending itself as one of the authenticated users.