RE: PHP Sessions



PHP's default handling of sessions is to store the sessionID in a
cookie. You, as the PHP programmer, have absolutely nothing to do with
the session ID other than calling session_start()

If PHP is unable to set a cookie (or if you direct it to do this), then
it will use the GET variables on the URI in order to transmit the
session ID.

Regardless, the session ID is stored locally on the computer and then
transmitted to the server when the user connects to the site.

When you said " I store the session ID in a session variable", this is
somewhat nonsensical because in order to use a "session variable", a
session ID is stored on the client machine automatically, as per PHP's
configured behavior. If the user's browser is refusing cookies and you
have PHP configured (as it is per defaults) to fall back on the URI
encoded session IDs, then you, too, are sending session IDs on the URI
without even realizing it!

Eric

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of xbennx@xxxxxxxxxxxxx
Sent: Thursday, September 21, 2006 10:11 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: PHP Sessions

I've posted on this topic before but I still have some unanswered
questions...



I keep hearing a lot about PHP session ID's and that an attacker can
easily recreate a valid session id and log in as another user. Of course
this is dependent on the way the system works and whats used to generate
the session id. This I understand.



What I fail to understand is why people use session ID's and pass them
via the query string at all? On a site that I maintain, I store the
session ID in a session variable and then check that rather than a
session ID passed through the query string. This way the user cannot
modify the session ID and therefore only valid sessions are accepted.



Am I missing something here? Is there a way for a malicious user to edit
session variables?



Any comments will be appreciated



Thanks,



Benn

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: Sessions
    ... click the link and in aoltest3.php the session variable is visable. ... Registered serializer handlers php php_binary wddx ... session.name PHPSESSID PHPSESSID ... see the PHPSESSID, in a cookie, or in the URL. ...
    (comp.lang.php)
  • [Full-disclosure] Advisory: Weak RNG in PHP session ID generation leads to session hijacking
    ... PHP session ID generation uses RNG with weak properties ... session hijacking ... PHP utilizes a cryptographically weak random number generator to ... A PHP site becomes vulnerable to the attack described below if it ...
    (Full-Disclosure)
  • Strange difference when cookie disappears from $_REQUEST in HTTP vs. WAP
    ... with how PHP interacts with MySQL, ... Header has been generated to destroy your login session cookie, ... the cookie so it doesn't show up in $_REQUEST. ...
    (comp.lang.php)
  • Re: php session GC error
    ... After this number of seconds, stored data will be seen as 'garbage' ... how do I explicitly tell PHP in the ini what directory to use for session ... Lifetime in seconds of cookie or, if 0, until browser is restarted. ...
    (php.general)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)