RE: PHP Sessions

["Hagen, Eric" <hagene () DenverNewspaperAgency com>]

PHP's default handling of sessions is to store the sessionID in a
cookie.  You, as the PHP programmer, have absolutely nothing to do with
the session ID other than calling session_start()

If PHP is unable to set a cookie (or if you direct it to do this), then
it will use the GET variables on the URI in order to transmit the
session ID.

Regardless, the session ID is stored locally on the computer and then
transmitted to the server when the user connects to the site.

When you said " I store the session ID in a session variable", this is
somewhat nonsensical because in order to use a "session variable", a
session ID is stored on the client machine automatically, as per PHP's
configured behavior.  If the user's browser is refusing cookies and you
have PHP configured (as it is per defaults) to fall back on the URI
encoded session IDs, then you, too, are sending session IDs on the URI
without even realizing it!

Eric

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of xbennx () hotmail co uk
Sent: Thursday, September 21, 2006 10:11 AM
To: security-basics () securityfocus com
Subject: PHP Sessions

I've posted on this topic before but I still have some unanswered
questions...



I keep hearing a lot about PHP session ID's and that an attacker can
easily recreate a valid session id and log in as another user. Of course
this is dependent on the way the system works and whats used to generate
the session id. This I understand.



What I fail to understand is why people use session ID's and pass them
via the query string at all? On a site that I maintain, I store the
session ID in a session variable and then check that rather than a
session ID passed through the query string. This way the user cannot
modify the session ID and therefore only valid sessions are accepted.



Am I missing something here? Is there a way for a malicious user to edit
session variables?



Any comments will be appreciated



Thanks,



Benn

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------