How to prevent session hijacking with SID (CGI perl)

Posted by Gnippots on Stack Overflow See other posts from Stack Overflow or by Gnippots
Published on 2012-10-02T01:43:15Z Indexed on 2012/10/02 3:37 UTC
Read the original article Hit count: 283

Filed under:
|
|
|

I have a web app used by a small number of people (internal only) and am using a randomised sessionID that is stored under the user record and placed in various links.

I have had a problem where users are sending links to each other which is allowing them to hijack the sender's session.

What are some ways of preventing this from happening while still letting users send links to one another?

Edit: The session ID in the link (which also contains $username) is just compared to what is stored in the User table. &incorrectLogin just prints an error followed by die;

if ($sid) {
  $sth = $dbh->prepare("SELECT * FROM tbl_User WHERE UserID = '$username'");
  $sth->execute();
  $ref = $sth->fetchrow_hashref();
  $session_chk = $ref->{'usr_sessionID'};
  unless ($sid eq $session_chk) {&incorrectLogin;}
}

The problem is that if someone uses a link that is created by someone else, the page will load as them. I am not using cookies, and I recall being told in the past that CGI perl cookie handling is quite poor.

© Stack Overflow or respective owner

Related posts about perl

Related posts about session