PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
The Ninja Space Goat wrote:
I'm sorry, but I seriously just don't get it. Let me see if I understand sessions properly:
You start the session in php with session_start(). This generates a unique id that php stores on the user's machine and internally. Now you assign variable to session (such as $_SESSION['user_id'] = 10). Those values are saved to a file that is associated to the session id. Now on each subsequent page, the session id is accepted from the user (by means of cookie or url) and then used to find the file (on the server) and return the associated data.
Where is the vulnerability? Even if php creates a new session file with the id you were tricked into using, it wouldn't associate with anything, would it??
Creating a session is as easy as clicking this link:
That server will now have a session started with the id 123abc456def789ghi
I understand that part... my question is this: Why does that matter? What can you do with a session that doesn't have any data attached to it? I understand that the session can be created, but if that data doesn't contain user_id, my system would just boot you into the login... and systems that don't require login would just give you the same access as everybody else... what am I not getting here??
PS: I haven't had a chance to read that article that ole posted (I plan to in a moment).
The Ninja Space Goat wrote:
I'm sorry, but I seriously just don't get it. Let me see if I understand sessions properly:
You start the session in php with session_start(). This generates a unique id that php stores on the user's machine and internally. Now you assign variable to session (such as $_SESSION['user_id'] = 10). Those values are saved to a file that is associated to the session id. Now on each subsequent page, the session id is accepted from the user (by means of cookie or url) and then used to find the file (on the server) and return the associated data.
Where is the vulnerability? Even if php creates a new session file with the id you were tricked into using, it wouldn't associate with anything, would it??
Creating a session is as easy as clicking this link:
That server will now have a session started with the id 123abc456def789ghi
I understand that part... my question is this: Why does that matter? What can you do with a session that doesn't have any data attached to it? I understand that the session can be created, but if that data doesn't contain user_id, my system would just boot you into the login... and systems that don't require login would just give you the same access as everybody else... what am I not getting here??
PS: I haven't had a chance to read that article that ole posted (I plan to in a moment).
Say your 10 pages deep into your site, your not checking for user_id are you? but rather sessionID...
And those session variables are assigned to a session ID, so if two people have the same session ID, they will also have the same session variables associated, such as user_id.
If by some means I got you to use that link, and login to the site.. I could then use that link and the server will offer me your session data in my session.
Jenk wrote:If by some means I got you to use that link, and login to the site.. I could then use that link and the server will offer me your session data in my session.
OOOOOOOH OK!!! See.... this is what I wasn't getting! I thought you guys were trying to tell me that if you got access to a blank session, you would have some kind of magical access to things you aren't supposed to... all you are saying is that if you can trick somebody into using a session id that you specify, once they log in, or anything like that, you can just use their session data. Thank you jenk... that was all I needed.
Think about it this way... how easy would it be to trick somebody into visiting a link like that? I can think of many ways I could trick people into visiting that link. When you think about it like that, you sort of start to realize how vulnerable most applications really are.
you could probably add a bit of obscurity to it, though it's probably so weak it's not even worth the millisecond or two it will add to processing time..