PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I'm pretty sure this has been discussed, but I couldn't find it. I have noticed a lot of session classes give the option to regenerate the session id. For instance, here is a session::start() method in a session class I sort of stitched together from arborint's skeleton directory and a few other sources:
public function start(){
if (!self::$id) {
// TODO: Research this functionality a little more
// If browser is Internet Explorer
if (strstr($_SERVER['HTTP_USER_AGENT'], 'MSIE')) {
session_cache_limiter('must-revalidate');
}
session_start();
// TODO: Research this functionality a little more
if ($this->regenerate) {
session_regenerate_id();
}
self::$id = session_id();
}
}
As you will notice, I have left comments in there to figure out what those things do... why are session_cache_limiter and session_regenerate_id in there? Thanks!
IE can have issues in keeping sessions alive correctly, so some add to try keeping IE up to date. I've never needed it, so I'm not sure on the situtation where it's actually needed.
As for regeneration of the ID, it can be said that regenerating the ID when passing through changes in security levels can help prevent some hacking attempts.
It could be that, it could also be as simple as a person going into moderator mode or an administrator going into the adminsitration area. It's really up to you as to when you think it should be regenerated.
Then when the victim uses that session add accesses a new part of the system with greater priviledges the hack has access to them too. Unless you regenerate the id
Then when the victim uses that session add accesses a new part of the system with greater priviledges the hack has access to them too. Unless you regenerate the id
Hmm... not sure I understand. How would the hacker know what session id string to attach to the url?
Well I understand they could create their own session, but session data is on the server, right? Forgive me if my brain is missing, but how could somebody write a session and store it on your server?
I'm sorry, but I seriously just don't get it. Let me see if I understand sessions properly:
You start the session in php with session_start(). This generates a unique id that php stores on the user's machine and internally. Now you assign variable to session (such as $_SESSION['user_id'] = 10). Those values are saved to a file that is associated to the session id. Now on each subsequent page, the session id is accepted from the user (by means of cookie or url) and then used to find the file (on the server) and return the associated data.
Where is the vulnerability? Even if php creates a new session file with the id you were tricked into using, it wouldn't associate with anything, would it??
Not to pry my nose in, but is this an accurate example of what your saying?
1. Spammer sends out emails to people to signup for a paypal account, giving the url.. paypal.com?PHPSESSID=123
2. Email recipient opens email and thinks "Ok, i'll setup an account and enter my credit card information"
3. Spammer (now known as Hacker) will then hit that same URL, enabling him to access "secured" places that the email recipient had accessed or entered sensitive information.
The Ninja Space Goat wrote:
I'm sorry, but I seriously just don't get it. Let me see if I understand sessions properly:
You start the session in php with session_start(). This generates a unique id that php stores on the user's machine and internally. Now you assign variable to session (such as $_SESSION['user_id'] = 10). Those values are saved to a file that is associated to the session id. Now on each subsequent page, the session id is accepted from the user (by means of cookie or url) and then used to find the file (on the server) and return the associated data.
Where is the vulnerability? Even if php creates a new session file with the id you were tricked into using, it wouldn't associate with anything, would it??
Creating a session is as easy as clicking this link:
That server (if the link was valid, and the sess ID identifier was PHPSESSID) will now have a session started with the id 123abc456def789ghi
If by some means I got you to use that link, and login to the site.. I could then use that link and the server will offer me your session data in my session.