Page 1 of 1

Session in COOKIE or GET

Posted: Thu Dec 22, 2005 5:59 am
by anjanesh
Hi

When using Sessions, I normally did $PHPSESSID but when register_globals is Off then I got to use $_COOKIE['PHPSESSID']

What if cookies are off and its sent in the url, where I would need to access it as $_GET['PHPSESSID']

I would to so something like
$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID'];

Is that possible ?

Thanks

Posted: Thu Dec 22, 2005 7:41 am
by m3mn0n
Test it out and see. ;)

Posted: Thu Dec 22, 2005 7:49 am
by anjanesh
$PHPSESSID = $_COOKIE['PHPSESSID'] | $_GET['PHPSESSID']; obviously doesnt work in PHP - but I was hoping some alternative to achieve this line.
How would I know if PHPSESSID (assuming session.name is PHPSESSID) is coming from COOKIE or GET ?

$_REQUEST['PHPSESSID'] does work but I still cant figure out if its from COOKIE or GET (without using isset($_COOKIE['PHPSESSID']) and isset($_GET['PHPSESSID']))

Posted: Thu Dec 22, 2005 8:05 am
by m3mn0n
If register globals is off, try using $HTTP_SESSION_VARS instead of $_SESSION.

If you're worried about variable poisoning:

eg. from the manual ( http://php.net/manual/en/security.globals.php ):

Code: Select all

<?php
if (isset($_COOKIE['MAGIC_COOKIE'])) {

   // MAGIC_COOKIE comes from a cookie.
   // Be sure to validate the cookie data!

} elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE'])) {

   mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']);
   echo "Security violation, admin has been alerted.";
   exit;

} else {

   // MAGIC_COOKIE isn't set through this REQUEST

}
?>

Posted: Thu Dec 22, 2005 9:08 am
by josh
I don't get the problem, who cares if it comes from the cookie or from the GET data,


anyways back on topic:

I usually use this handy function
http://us2.php.net/session_id

Posted: Thu Dec 22, 2005 9:22 am
by anjanesh
jshpro2 wrote:I don't get the problem, who cares if it comes from the cookie or from the GET data
Im using $_COOKIES[session_name()] in my code.
This assumes cookies is enabled on the client side.

What if one client has cookie disabled ? Automatically the session name would be sent across in $_GET right ? Because cookies are disabled.
In this case $_COOKIES[session_name()] will return undefined index.

Posted: Thu Dec 22, 2005 10:31 am
by m3mn0n
*slaps forehead*

Gotcha now. I'd check against the cookie first because that's the way you normally want it to go.... then if that doesn't exist/isn't set, then extract get and parse it to make sure no XSS attack can be done.

A model similar to the code I posted above should work.

Posted: Thu Dec 22, 2005 12:00 pm
by anjanesh
Thanks for your input.
Anyway, Im now thinking....this will be more work to check which super-global is sending the session name & id.

If you disable cookies and try logging into yahoo mail you'll get the msg :
The browser you're using refuses to sign in. (cookies rejected)
Guess this is not worth it ? Force users to switch on cookies ? Or is it worth coding to receive session data in either of the streams ? Y! giant hasnt atleast !

Posted: Thu Dec 22, 2005 12:12 pm
by m3mn0n
I recommend that.

I personally refuse to support people who don't allow my site to set cookies.

It's either allow it, or sorry, you're out of luck. :wink:

Posted: Thu Dec 22, 2005 3:37 pm
by AKA Panama Jack
Sami wrote:I recommend that.

I personally refuse to support people who don't allow my site to set cookies.

It's either allow it, or sorry, you're out of luck. :wink:
Thumbs up there...

On our sites if you have disabled cookie support in your browser we don't care if you never come to the site. Sometimes people can be more than a little anal/paranoid when it comes to security.

Posted: Fri Dec 23, 2005 5:18 am
by Maugrim_The_Reaper
I agree, I hate using GET sessids because the potential for some unknowing user to post a url complete with session id is obvious. If they are completely against cookies, and can't even be bothered to allow a domain specific list of cookies, then they shoudn't expect anything on the net to be capable of maintaining state between requests.

Personally I disable passing the session by GET - its a security risk to the user, and yes I'm a bit obsessive when it comes to security...;)

Posted: Fri Dec 23, 2005 5:35 am
by anjanesh
Under Sessions and security in PHP Manual
Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network.
Even 'cookies' can be listened to over network traffic.
Do you encrypt session ids when not over SSL ?