ashrafZolkopli
Posted on June 11, 2021
Preface
One of the common attack vector for Web App is called Session Hijacking. Session Hijacking means that an authenticated user session was able to be obtain by a hacker. This usually due to Man In The Middle (MITM) attack such as when user is using a public Wi-Fi/LAN that had been compromise by the hacker.
Using HTTPS connection will encrypt the all communication between browser and server and setting a HTTP Strict Transport Security (HSTS) will make sure that all communication subsequence to the first connection between the browser and server will using HTTPS connection only. The first communication is usually cause the browser will request to a HTTP site then got redirected to a HTTPS site. HSTS also specify something called a Secure HSTS duration. This means that after x second from first contact between browser and server that set the HSTS policy will expire.
In the small chance that, your user is logged in to your website, close the window and continue to not do anything with it for the duration of x second ( HSTS second relapse ), link to the internet through a ( compromise ) public Wi-Fi, go to google and connect to your website on a HTTP page which the "hacker" is able to sniff your user session cookie and later imitate the user as an authorize use on our site.
Like I said there, there is a small chance but you never know maybe its that time of the year where all 8 planets in the solar system align just right with the wind blown from the far east with a wind speed of 100km/h hitting a small butterfly with so much force that it cause a ripple effect that will basically bring down your entire website for a month and causing a massive 100 million lawsuit. Well what I'm trying to say here is, Its better be safe then sorry.
To further reduce this attack vector, I recommend using a Django package called django-restricted-sessions. Its not a one all be all solution to our problem however, in my opinion its better to add such a package, it is so simple to implement and well you know what, you will thanks yourself one day that you implement it and if any minute chance that one day you have to stand in front of a Information Security committee, stating that you had taken all the precaution possible to secure your web app this might be one of those you need to win the case.
Anyway django-restricted-sessions isn't a bullet proof, even in its documentation state that it not perfect but it does deter the wannabe hacker from getting in so easily...
I guess I been talking so much about this package that we should just install and configure it...
Installing django-restrict-sessions
Just 2 line of command in your terminal is what you need:
pipenv install django-restricted-sessions
pipenv lock -r > requirement.txt
Setting your middleware
Open the setting.py file and add a simple line:
'restrictedsessions.middleware.RestrictedSessionsMiddleware',
make sure the middleware is located after both
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
like so :
MIDDLEWARE_CLASSES = [
....
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'restrictedsessions.middleware.RestrictedSessionsMiddleware',
....
]
End
Thats it, simple as that, now your can feel a bit better about the fact that your webapp is a bit safer in the case of Session Hijacking.
Posted on June 11, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.