Kevin B
Posted in Technical Support 3 years ago
I'm looking at sessions and security and have some concerns about OSSN.
I was able to copy the PHPSESSID value from one browser (Chrome), paste it into a different browser (Edge) and was instantly logged in on Edge under the same credentials that i'd logged in with on Chrome.
This is known as Session Hijacking and is one of the most common security risks detailed on the owasp.org website.
I then "logged off" on Chrome, refreshed Edge, and was logged out. This is promising.
Logging back in on Chrome, allowed me to hit Refresh on Edge, and the site came alive again.
So next I logged out of Chrome, cleared the cookies and logged in again. This time Chrome received a new PHPSESSID.
I hit "refresh" expecting Edge to no longer be logged in - but it remained logged in under the OLD PHPSESSID.
This now seems to be a valid PHPSESSID and will remain so until I log out of OSSN on Edge, regardless what I do in Chrome.
Advice from OWASP.ORG on broken authentication:
> Use a server-side, secure, built-in session manager that generates a
> new random session ID with high entropy after login. Session IDs
> should not be in the URL, be securely stored and invalidated after
> logout, idle, and absolute timeouts
It also seems vulnerable to Credential Stuffing (i just tried the wrong password 23 times on an account and could still continue), weak passwords, no MFA, brute force attacks and more.
This isn't a criticism, it's hopefully to raise some awareness over some of the security risks and hopefully somebody smarter than me can implement some risk mitigation. :D
Arsalan Shah
Replied 3 years ago
You are welcome Kevin, I am also discussing it with you what is in my mind :) As per my knowledge on session_destroy() php deletes session file itself. Or if some time has been passed it will delete itself example 25 mins of inactive (this is default behavior of php)
Kevin B
Replied 3 years ago
Apologies I didn't realise, thought Soft24 were just for the Premium users.
Ok, the password attempts and brute force thing can be solved with a component - so if I ever get brave enough and knowledgable enough I might have a stab at that if nobody beats me to it.
I think with the session ID thing, a simple fix (though not foolproof) is if OSSN deleted that session file on the server when somebody logs out.
That way it couldn't be used anywhere else.
I'm just playing devil's advocate here, but securing an app doesn't stop at assuming people are in a safe environment. There are all sorts of ways of attackers getting access to your session files, which could be from emails, rogue websites, malware etc.
Somebody could log on to a public computer anywhere in the world (clubs, libraries, schools ) and forget to logout - thinking just closing the browser is enough. The next person opening the browser on the public machine would be able to log straight back in to the site if they are within the expiry window. Admitedly thats pretty stupid, but if you bear in mind that the majority of people actually using the sites are non-techies, its more about doing what we can to protect the end users.
I didnt copy any headers or files... I simply placed the session ID number into the value of the cookie.
You could update the timestamp somewhere every time a validated request is performed, so if a timestamp comes in thats older - that can be rejected too.
Again, I actually really like OSSN and think its a brilliant system. I'm just trying to help improve it, or at least offer suggestions.
And HTTPS goes without saying - you'd have to be stupid to run something like this without it! :D
Arsalan Shah
Replied 3 years ago
All security stuff should be discussed on our contact page. Ok since it is not critical so I am leaving it here for discussion.
Failure attempts block can still be created using component. ....
This session stuff, if you generate your own session id and place it in as PHPSESSID it still useless , you can still copy that ID and place in other browser with same version, name , headers it will still make you loggedin. The other case if someone steals is is if someone takes your session that means your computer is hacked :) You should use HTTPS.
Your answer can be found here: https://stackoverflow.com/questions/4017344/is-https-the-only-defense-against-session-hijacking-in-an-open-network
Due to the many requests in the past for additonal features and components we have decided to develope a premium version. Features like Hashtags, Videos, Polls, Events, Stories, Link Preview, etc included in it.
$199 (Life Time)
