session hijacking

[skaterdav85]

Can a user's session be hijacked if another user on the same site changes his or her session id stored in a cookie to a session ID that already exists? I'm sure the probability of a person guessing this session id is low, but it seems possible especially if a site has a lot of traffic and some malicious person uses an automated program to test various sequences to determine an existing session id.

[Synook]

Yes. However, the session ID by default is a 128-bit MD5 hash^[1], which provides 2¹²⁸, or around 10³⁸, different possibilities. This way, even if a new session ID was generated every microsecond, you would not expect a random collision until way, way after the end of the universe. Of course, MD5 is a very old algorithm and there are many ways of improving the chances of a collision (also, the source PHP uses for the pre-hashed string is not technically cryptographically random) but especially without the hacker knowing the circumstances of the hash generation it would be very hard for them to do so. Any concentrated attempt would probably DoS your site far before they could get a collision.Anyway, if that doesn't sound secure enough, you can generate your own session IDs using more random sources (e.g. /dev/random, or some hardware random number generator), or just change the algorithm to SHA1 in php.ini for a slight boost.

[wirehopper]

Another way to protect a session is to set a random token on every response, then check the token value on the next request.

[aspnetguy]

Another way to protect a session is to set a random token on every response, then check the token value on the next request.

It sounds like you are talking about CSRF attacks http://shiflett.org/articles/cross-site-request-forgeries