Is HTTPS the only defense against Session Hijacking in an open network?

Question

So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.

The way it works - to my understanding - is that it simply captures all traffi

Answer 1

I do beleive SSL is cheap and a complete solution. But till you dont have it or looking for some extra layers here is how to protect your SESSIOn data.

As always defence in dept is the way to go. 1st Use Sessions to store user login data 2nd If admin logged in also check for DB, might slows a little but as there is a small number of admins and rest are users this is a feasible security plus. 3rd PROTECT YOUR SESSION <= !

Session protection: Put session start into an object file where you call an "is_session_valid()" function on self construct. This function would check for (IP / TIME / Browser) for $_SERVER superglobal, and store them in session. Up on Next load see if values are the same if not just waste no more resources logout user and show index page.

This is not a complete solution as it might be same browser on same network e.g. Wifi with lot of users and session hijacked might also be recent (in time). But till no SSL is used this is FAR BETTER then nothing. Anyhow rarely happens that the victim and the hijacker use same everything....so this effectively mitigates chances of successfull attack even without any SSL!

Original idea by Kevin Skoglund if ineterested in securing your APP see his secure PHP tutorial. https://www.lynda.com/PHP-tutorials/Creating-Secure-PHP-Websites/133321-2.html

P.S. Several other defenses (CSRF least) needs to be used to have a somewhat secure AP

Bye :-)