Re: [Ayuda] Manejo de sesiones en PHP

To: MiG <mig29fulcrum en tutopia com>
Subject: Re: [Ayuda] Manejo de sesiones en PHP
From: Sandino Araico Sánchez <sandino en sandino net>
Date: Tue, 25 Jun 2002 12:04:39 -0500
Cc: ayuda en linux org mx
List-archive: <https://pegaso.fisica.unam.mx/pipermail/ayuda/>
List-help: <mailto:ayuda-request@linux.org.mx?subject=help>
List-id: GNU/Linux help list <ayuda.linux.org.mx>
List-post: <mailto:ayuda@linux.org.mx>
List-subscribe: <https://pegaso.fisica.unam.mx/mailman/listinfo/ayuda>, <mailto:ayuda-request@linux.org.mx?subject=subscribe>
List-unsubscribe: <https://pegaso.fisica.unam.mx/mailman/listinfo/ayuda>, <mailto:ayuda-request@linux.org.mx?subject=unsubscribe>
References: <20020622235629.A576@mig>
Sender: ayuda-admin en linux org mx

Esto me lo encontré en webappsec en securityfocus com, viene mejor explicado
cómo hacer buenas variables de sesión y cómo usar transacciones....

Subject:
         RE: Alternatives to session IDs as authenticators?
    Date:
         Wed, 24 Apr 2002 13:20:29 -1000
   From:
         "Jason Coombs" <jasonc en science org>
      To:
         "Eric Thomas" <eric en psteering com>, <webappsec en securityfocus com>

Aloha, Eric.

Session identifiers are not authentication if they are generated
according to a predictable algorithm. Consider, however, what a
user ID and password pair look like in bits. Most session IDs
have more bits than a user ID and password do. Therefore they
are more "secure" than a user ID and password, in terms of a
malicious third party attacker being able to guess or randomize
valid bits. SSL-security combined with random session identifiers
of variable length represent very good security.

One technique commonly employed to make session identifiers more
secure is to generate the random number and hash it with a secret
key and a keyed hash algorithm then attach the hash code to the
random number and call the combined bit sequence the session ID.
This way the server can validate the session ID and it is not
practical for attackers to randomize both the random number and
the keyed hash code.

Microsoft ASP.NET uses this technique in its Forms Authentication
mechanism, and .NET Passport use a similar technique. The user
sends credentials to authenticate once with the server, and from
that point forward the client sends only the authentication ticket
assigned to it following authentication of the credentials. The
ticket is not a simple random number, it includes a keyed hash
that only the server can verify because only it knows the secret
key used when applying the keyed hash algorithm -- only the server
can rehash the random number provided in the ticket to confirm
the authenticity of the hash provided in the ticket.

When SSL is not used, there are known problems with proxy cache
where multiple clients receive the same session IDs by way of
either cookies or URL-encoding, and man in the middle attacks
succeed in compromising session IDs because they are sent as
plaintext to and from the server. HTTP authentication must be
used, either basic or digest, with unencrypted HTTP sessions
because there is no way for the server to generate a session
ID and deliver it securely to the client such that it can be
relied upon as a shared secret -- the client must supply valid
credentials with every HTTP request, and those credentials are
used as the shared secret. Anything the server sends back to
the client without encryption is no longer a shared secret.

As for replay attacks when SSL is not used, the only defense
against such attacks is session ID expiration. As long as the
server believes the session identifier or authentication
ticket to be valid, the replay attack succeeds. You can SSL
secure the authentication event where credentials are sent
by the client to the server, but if you intend to allow the
client to browse without SSL, the authentication ticket will
have to be sent in the clear with each request and replay
attacks become possible. Cookies are marked as either SSL
secured or not, and those that are don't get sent in client
requests that aren't, so dropping a cookie after an SSL
secured authentication event that is marked secure isn't
enough, you must also direct the client to an http URL
where another cookie gets dropped.

NET Passport implements such a dual-cookie system for sites
that require SSL-secured credential transport but that need
to allow browsing with the authentication ticket to http
URLs as well. Both .NET Passport and ASP.NET Forms
Authentication expire authentication tickets and replace
them periodically. The user automatically receives the new
ticket and stops sending the old one.

Aloha & Mahalo,

Jason Coombs
jasonc en science org

MiG wrote:

> Hola a todos ¡
>
> Quisiera pedirles su opinion respecto a las sesiones en php, ¿Que tan
> seguras son?, he leido en algunas partes que no son tan seguras y son
> muy explotables. Y si alguien tiene una liga por ahi de como funcionan
> (no como usarlas, sino como trabajan) se lo agradeceria mucho.
>
> Seguimos por aki ...
>
> _______________________________________________
> Ayuda mailing list
> Ayuda en linux org mx
> Para salir de la lista: http://mail.linux.org.mx/mailman/listinfo/ayuda/

--
Sandino Araico Sánchez
- Piensa en grande
- Comienza en pequeño
- Escala rápido

_______________________________________________
Ayuda mailing list
Ayuda en linux org mx
Para salir de la lista: http://mail.linux.org.mx/mailman/listinfo/ayuda/

Mensaje(s) a continuación:
- Re: [Ayuda] Manejo de sesiones en PHP
  - De: MiG

Referencias:
- [Ayuda] Manejo de sesiones en PHP
  - De: MiG

Previo por Fecha: Re: [Ayuda] hotmail
Siguiente por Fecha: Re: [Ayuda] Cable modem con cablevision
Previo por Hilo: Re: [Ayuda] Manejo de sesiones en PHP
Siguiente por Hilo: Re: [Ayuda] Manejo de sesiones en PHP

[Hilos de Discusión] [Fecha] [Tema] [Autor]