PHP | Techbirds
Posted on: September 16, 2014 /
Categories: General
It is possible for a user to initiate multiple concurrent sessions using just one username/password combination. If multiple users are allowed to log in to the same account simultaneously, non-repudiation is lost. The existence of multiple sessions generated from the same set of user credentials often indicates that the credentials have been compromised. A malicious user with valid credentials could exploit this vulnerability to cause a denial of service condition. Using a script to repeatedly log into the system, the attacker could appropriate resources for each new session until no resources are available to legitimate users.
This side effect can be eliminated by terminating the previous session during the log in process.
In PHP, Following are the example steps to remove multiple session: 1. Save session id in the Database when an user logged in. 2. Check the session id each time when a request to server is sent.
3. If session id doesn’t match then destroy the current session.
116 total views, no views today
Tags: PHP, Security, Session Management, Web Development
Posted on: September 16, 2014 /
Categories: General
Information Leakage Through Error Messages The application reveals information about how data validation is being performed, required data formats, or other information an attacker can use to construct malicious payloads to insert into requests.
To Ensure it, Replace all error messages with error codes if possible. If error messages must be displayed in order to enable a user to correct a problem, the messages should only contain the absolute minimum information necessary for the user to identify and correct the problem.
An example from the Microsoft site – We’re sorry, but there is no Web page that matches your entry. It is possible you typed the address incorrectly, or the page may no longer exist.
To achieve this we can add error document for each type of error (e.g. 500 – Internal Server Error, 403 – Forbidden Error and so on).
96 total views, 1 views today
Tags: htaccess, PHP, Security, Web Development