Security Basics mailing list archives
RE: PHP Sessions
From: "Hagen, Eric" <hagene () DenverNewspaperAgency com>
Date: Thu, 21 Sep 2006 14:08:14 -0600
PHP's default handling of sessions is to store the sessionID in a cookie. You, as the PHP programmer, have absolutely nothing to do with the session ID other than calling session_start() If PHP is unable to set a cookie (or if you direct it to do this), then it will use the GET variables on the URI in order to transmit the session ID. Regardless, the session ID is stored locally on the computer and then transmitted to the server when the user connects to the site. When you said " I store the session ID in a session variable", this is somewhat nonsensical because in order to use a "session variable", a session ID is stored on the client machine automatically, as per PHP's configured behavior. If the user's browser is refusing cookies and you have PHP configured (as it is per defaults) to fall back on the URI encoded session IDs, then you, too, are sending session IDs on the URI without even realizing it! Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of xbennx () hotmail co uk Sent: Thursday, September 21, 2006 10:11 AM To: security-basics () securityfocus com Subject: PHP Sessions I've posted on this topic before but I still have some unanswered questions... I keep hearing a lot about PHP session ID's and that an attacker can easily recreate a valid session id and log in as another user. Of course this is dependent on the way the system works and whats used to generate the session id. This I understand. What I fail to understand is why people use session ID's and pass them via the query string at all? On a site that I maintain, I store the session ID in a session variable and then check that rather than a session ID passed through the query string. This way the user cannot modify the session ID and therefore only valid sessions are accepted. Am I missing something here? Is there a way for a malicious user to edit session variables? Any comments will be appreciated Thanks, Benn ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- PHP Sessions xbennx (Sep 21)
- Re: PHP Sessions Peter Butler (Sep 22)
- <Possible follow-ups>
- RE: PHP Sessions Hagen, Eric (Sep 22)