Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP Sessions

From: Peter Butler <peter.butler () 141 com>
Date: Fri, 22 Sep 2006 11:35:48 +1200
HTTP is a stateless protocol, therefore some sort of session identifier needs to be passed with every request in order to maintain a "session" with the server. There are two common approaches to this, the first is to pass the session identifier explicitly (e.g. part of the query string in a GET request or as part of the form submission for a POST request). The other is to pass the session identifier as a cookie (using the cookie headers). 
What I fail to understand is why people use session ID's and pass them via the query string at all?
Session variables are passed via the query string when the user has cookies disabled in their browser. Some users disable cookies because of privacy issues. I'm not entirely sure about PHP, but most web technologies seem to write the first page that requires a session with each URL containing session information, and also sends a cookie to the browser. If the cookie comes back from the browser on the next request, cookies are used from that point on. If the cookie doesn't come back from the browser (because the user has disabled cookies), the query string is used. 
 On a site that I maintain, I store the session ID in a session variable and then check that rather than a session ID 
passed through the query string. This way the user cannot modify the session ID and therefore only valid sessions are 
accepted.
If you are setting "session variables" in PHP you are sending cookies to the users browser (or at least PHP is, under the covers). A good way to see this is by downloading the "Web Developer" extension for Firefox and looking through the "cookies" menu.
You can rely to a certain extent on the integrity of cookies if you (for example) use a decent amount of randomisation and a secure hash function to create the session id and maintain all session information on the server (i.e. don't pass any user-identifiable data in session ids).
It's also a good idea to keep track of the association from session id -> ip address, this can guard against session hijacking (where a malicious user uses the session id of a legitimate user to access your application). 
Am I missing something here? Is there a way for a malicious user to edit session variables?
Possibly, I'm not sure what mechanism PHP uses to encrypt session information. 

Cheers

Peter

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: