SessionGuard

Summary: Hamper session theft (session hijacking) and session fixation attacks.
Version: 2.2
Prerequisites: AuthUser
Status: Working
Maintainer: GNUZoo & Sven
Categories: Security
Discussion: SessionGuard-Talk?

Questions answered by this recipe

Can I make my wiki more secure?

Description

Session theft is one method of impersonation. More details are explained in session security advice.

This recipe makes both attacks a bit harder by verifying some HTTP meta data in addition to the session key: It restricts the session validity to its original IP (subnet) and the same browser name. An attacker would have to fake both in order to steal a session. This recipe is good to use if you have a person login (for example with AuthUser) or use a password to change your wiki.

See also:

Installation

There are 2 steps to installing SessionGuard.

Step 1

Create a page call "Site.InvalidLoginInformation". You can customize this page any way you want.
Someone might put:
(:notitle:)
!!Your login information seems to be invalid.

Technical details: Your session ID seems to belong to another user.

Return to [[Main/HomePage|Home]].
In mine I put:
(:redirect Main.HomePage:)

Step 2

Copy SessionGuard.phpΔ to your cookbook directory.
If you are using AuthUser place this before it in your config.php:
require("cookbook/SessionGuard.php");
or in your farmconfig.php enter:
require("$FarmD/cookbook/SessionGuard.php");

Notes

Use "require" and not "include" - "For security stuff, always require."

Release Notes

This program is free software. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation http://www.fsf.org either version 2 of the License, or (at your option) any later version.

Copyright 2007 by GNUZoo email: guru [snail] gnuzoo [period] org

Please donate to the author at url: http://gnuzoo.org/GNUZooPayPal

  • Version 2.2 - Change pagename reference Site.SuspicionOfSessionTheft to Site.InvalidLoginInformation
  • Version 2.1 - added "if (!defined('PmWiki')) exit();"
  • Version 2.0 - renamed - old LoginGuard obsolete
  • Version 1.0 - Initial Release

See Also

Contributors

GNUZoo created and maintains recipe

Sven created initial code

Comments

See Discussion at SessionGuard-Talk?

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.