My site is under a brute force attack in which the attackers are attempting to gain access to user accounts. The bots do not have a user agent. I have a system in place that blocks a person from signing in if they exceed 3 attempts per account in under 10 minutes.
I also made it check for a user agent, and if not, exit.
My question is: Are sessions only stored in browsers? What I’m thinking is that they are using a script executed via command line.
I’ve implemented this as well:
if(!isset($_COOKIE[ini_get('session.name')])) {
header("HTTP/1.0 404 Not Found");
exit;
}
Is there anything else I can do to prevent these attacks?
A session variable’s content is stored on the server, however, the session is identified by a session ID which is stored at the client and sent with each request. Usually the session ID is stored in a cookie, but it can also be appended to URL’s.
There’s quite an interesting read on session hijacking on Wiki and also one at PHP Security Consortium that should give you a better understanding as to what hijacking is about and how to prevent it.
There are a lot of methods to help prevent these attacks, I’ve pointed out three:
This creates a new session ID, different from the one that was created when they first visited the public/safe area, if there was a session started of course.