Magento Forum

Session validation settings - what to choose in 1.4? 
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

There are some new options for “Session validation settings” in 1.4. What should one choose here?

The options are:

Validate REMOTE_ADDR
Validate HTTP_VIA
Validate HTTP_X_FORWARDED_FOR
Validate HTTP_USER_AGENT
Use SID on Frontend

Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
silverpenhouse
Member
 
Avatar
Total Posts:  72
Joined:  2008-02-16
Virginia
 

Good Question.

I don’t know specifically regarding 1.4.

But here is a discussion about that with some insightful comments in regards to 1.3:

http://thewellrunsite.com/2009/02/12/fixing-the-magento-checkout-glitch/

 
Magento Community Magento Community
Magento Community
Magento Community
 
bitflip
Sr. Member
 
Total Posts:  149
Joined:  2009-05-17
UK
 

They are security features designed to help prevent session fixation attacks, session poisoning, and session stealing.  Enabling the features will help prevent these types of issues but could slow down your server and the speed of the session for the customer/visitor. 

By default the features are disabled (options are set to “No").  To enable the features set them to “Yes”.

 
Magento Community Magento Community
Magento Community
Magento Community
 
silverpenhouse
Member
 
Avatar
Total Posts:  72
Joined:  2008-02-16
Virginia
 

How common are they types of attacks and how would the attackers benefit?

 
Magento Community Magento Community
Magento Community
Magento Community
 
bitflip
Sr. Member
 
Total Posts:  149
Joined:  2009-05-17
UK
 

The “How Common” depends on the context.  I don’t know the real answer.  If you take the entire internet then potentially relatively common, or at least the probing of eCommerce sites to see if the vulnerability exists is probably common.  I have no idea how many Magento Store owners have actually been exposed to a real attack. 

To answer the “How would the attackers benefit” question.  If a hacker can hijack a users session then they essentially become that person.  If the session is still valid on the server then potentially hackers can get access to the customers account.  It’s very east to spoof the User-Agent and the referrer.  It’s not so easy as to spoof the IP address unless the hacker can either gain access to the users computer or they can do a man-in-the-middle attack. 

It’s probably worth while switching on “Validate REMOTE_ADDR” so you check the IP Address matches what you have in the $_SESSION data.  If a different IP address is detected then the session is invalidated.  The point of the checks is to ensure that the visitor is who they say they are. 

The load generated by switching on the features is negligible and an individual user won’t notice any difference but if your store has 1000’s of visitors per day this may mount up on the server end.  The best advise would be to test the features one by one to see what additional load they place on your server.

Hope this helps.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Jakub@WebCatch
Sr. Member
 
Avatar
Total Posts:  215
Joined:  2009-11-06
Nottingham, UK
 

You probably didn’t look at the link that silverpenhouse posted. Validating customer’s IP address fails miserably when the customer’s ISP uses a proxy for http connections (and it seems many ISPs do that, at least in the UK). The problem occurs when switching from http to https. When on http, the customer connects through a proxy, so the session is created with the proxy’s IP address. When the customer is redirected to https (eg. goes to checkout) the connection is direct and the proxy is bypassed. Now the customer’s is connecting from his own IP address and not through a proxy, so his IP has changed. Magento detects this and invalidates the session. In such a scenario, the customer will not be able to use your store (unless they constantly use https, but only the geeks will now that they need to do that).

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

Hi all,

Many thanks for your replies. Very interesting.

Could this be the reason that SOME customers email every now and then saying that when they add items to the cart and try to proceed to checkout, the cart is empty, or they can not pay? While others have no problems at all.

@Jakub - which of these features do you have on/off?
Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
silverpenhouse
Member
 
Avatar
Total Posts:  72
Joined:  2008-02-16
Virginia
 

I just had a customer call this morning complaining about this.

And that really makes me think about how many people are actually experiencing this issue.

While he was on the phone I disabled those 4 options and had him try again, but ... with no success. (Perhaps the cache didn’t reset in time).

In any case, there is even a simpler test that you can have the user do. Users experiencing this problem can’t even click on “My Account” or “Log In”. (Again because of the whole http -> https issue)

I wish there was a way to reproduce that behavior in my environment so that I could further test it.

My questions now is, is this a bug or a feature that needs to be better configured on my side?

Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
silverpenhouse
Member
 
Avatar
Total Posts:  72
Joined:  2008-02-16
Virginia
 

The site is now working for the customer for whom it was initially not working. I had to disable all 4 though and reset the cache.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Jakub@WebCatch
Sr. Member
 
Avatar
Total Posts:  215
Joined:  2009-11-06
Nottingham, UK
 
lisali - 09 March 2010 03:03 AM

Hi all,

Many thanks for your replies. Very interesting.

Could this be the reason that SOME customers email every now and then saying that when they add items to the cart and try to proceed to checkout, the cart is empty, or they can not pay? While others have no problems at all.

@Jakub - which of these features do you have on/off?
Thanks!

I switched all the session validation options off. Too early to tell whether that helped sales…

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

Thank Jakub,

Please keep us updated and let us know if you notice any changes.
BTW, Great Q&A;on your website, love to see more.
Thanks again!

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

Thank Jakub,

Please keep us updated and let us know if you notice any changes.
BTW, Great Q&A;on your website, love to see more.
Thanks again!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top