session_regenerate_id

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Jenk wrote:
The Ninja Space Goat wrote:Image
I'm sorry, but I seriously just don't get it. Let me see if I understand sessions properly:

You start the session in php with session_start(). This generates a unique id that php stores on the user's machine and internally. Now you assign variable to session (such as $_SESSION['user_id'] = 10). Those values are saved to a file that is associated to the session id. Now on each subsequent page, the session id is accepted from the user (by means of cookie or url) and then used to find the file (on the server) and return the associated data.

Where is the vulnerability? Even if php creates a new session file with the id you were tricked into using, it wouldn't associate with anything, would it??
Creating a session is as easy as clicking this link:

http://www.example.com/page.php?PHPSESS ... 6def789ghi

That server will now have a session started with the id 123abc456def789ghi
I understand that part... my question is this: Why does that matter? What can you do with a session that doesn't have any data attached to it? I understand that the session can be created, but if that data doesn't contain user_id, my system would just boot you into the login... and systems that don't require login would just give you the same access as everybody else... what am I not getting here??

PS: I haven't had a chance to read that article that ole posted (I plan to in a moment).
GeXus
Forum Regular
Posts: 631
Joined: Sat Mar 11, 2006 8:59 am

Post by GeXus »

The Ninja Space Goat wrote:
Jenk wrote:
The Ninja Space Goat wrote:Image
I'm sorry, but I seriously just don't get it. Let me see if I understand sessions properly:

You start the session in php with session_start(). This generates a unique id that php stores on the user's machine and internally. Now you assign variable to session (such as $_SESSION['user_id'] = 10). Those values are saved to a file that is associated to the session id. Now on each subsequent page, the session id is accepted from the user (by means of cookie or url) and then used to find the file (on the server) and return the associated data.

Where is the vulnerability? Even if php creates a new session file with the id you were tricked into using, it wouldn't associate with anything, would it??
Creating a session is as easy as clicking this link:

http://www.example.com/page.php?PHPSESS ... 6def789ghi

That server will now have a session started with the id 123abc456def789ghi
I understand that part... my question is this: Why does that matter? What can you do with a session that doesn't have any data attached to it? I understand that the session can be created, but if that data doesn't contain user_id, my system would just boot you into the login... and systems that don't require login would just give you the same access as everybody else... what am I not getting here??

PS: I haven't had a chance to read that article that ole posted (I plan to in a moment).
Say your 10 pages deep into your site, your not checking for user_id are you? but rather sessionID...
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

umm... no I'm looking for user_id
GeXus
Forum Regular
Posts: 631
Joined: Sat Mar 11, 2006 8:59 am

Post by GeXus »

The Ninja Space Goat wrote:umm... no I'm looking for user_id
user_id which is a session variable?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

yea
GeXus
Forum Regular
Posts: 631
Joined: Sat Mar 11, 2006 8:59 am

Post by GeXus »

The Ninja Space Goat wrote:yea
And those session variables are assigned to a session ID, so if two people have the same session ID, they will also have the same session variables associated, such as user_id.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

from my not so stealthy edit:
If by some means I got you to use that link, and login to the site.. I could then use that link and the server will offer me your session data in my session.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Jenk wrote:If by some means I got you to use that link, and login to the site.. I could then use that link and the server will offer me your session data in my session.
OOOOOOOH OK!!! See.... this is what I wasn't getting! I thought you guys were trying to tell me that if you got access to a blank session, you would have some kind of magical access to things you aren't supposed to... all you are saying is that if you can trick somebody into using a session id that you specify, once they log in, or anything like that, you can just use their session data. Thank you jenk... that was all I needed.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

for future reference this sort of "attack" is called session hijacking.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

or session fixation
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Is this a common sort of attack?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

It can be, because fooling the user is the easiest part of just about any attempt to attack a site.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Think about it this way... how easy would it be to trick somebody into visiting a link like that? I can think of many ways I could trick people into visiting that link. When you think about it like that, you sort of start to realize how vulnerable most applications really are.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

you could probably add a bit of obscurity to it, though it's probably so weak it's not even worth the millisecond or two it will add to processing time..

Code: Select all

session_start();
if (empty($_SESSION['id'])) $_SESSION['id'] = md5(session_id() . $_SERVER['REMOTE_ADDR']);

if ($_SESSION['id'] === md5(session_id() . $_SERVER['REMOTE_ADDR'])) {
    echo 'welcome back user';
} else {
    echo 'oi! stop trying to hijack this session!';
}
though it will have a number of false positives due to people using multiple connex's (legitimately) or dynamic ip's etc. etc.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

This is why you shoud use an .htaccess file with this content:

Code: Select all

php_value session.use_cookies 1
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
Post Reply