Page 1 of 1

How secure are sessions in php ?

Posted: Tue Mar 02, 2004 9:01 am
by lazy_yogi
Does anyone know how secure sessions are in php ?

Is it stored on the server ?
If so, can it be retrievec by a third party somehow?
If not, it must be stored on the client machine by PHP and encrypted I assume.

Info and links from anyone who has dealt with this would be appreciated

Cheers,
Eli

Posted: Tue Mar 02, 2004 9:11 am
by JayBird
Session.save_path

Normally, there is one PHP engine per server, and it uses a single folder to store all session data. In most cases, this is the /tmp folder (on UNIX platforms).

Any user with a shell on the server can go to the /tmp folder, list all sessions, and read all session data. Simply by accessing the session folder, the user will get all session numbers. With the session number in hand, the user can open a web site and take over the session. The only problem here is to find out to which site the session belongs.

Without the shell access but with the ability to execute PHP scripts on the same server, the user can write and upload a simple script to display all session variables on the screen. Armed with this script, the user will visit your web site, write down the session number, and then point the browser to his own web site and, using the session number from your site, read all of the session data. With some luck and care, he will also be able to modify the session data and then go back to your web site with, say, more privileges.

To be honest, this sounds cool but it isn't necessary at all. It is much easier to access the session data directly on the disk, read it, change it, write it back. The same effect, less hassle.

If you can control your environment (either directly or through a friendly administrator) then simply change the configuration option session.save_path to point (for your domain name only, of course) to your private directory. Please note that even this will not help if the safe mode is not turned on to prevent other people from accessing your files.

If you can somehow create a folder to which the php engine can write, you can also try to change the save path at the beginning of every script, using the session_save_path() function.

While you are at it, it is always a good idea to configure the following options as well:


session.name - something unique to your web site, PHPSESSID is a default value
session.cookie_path - only if you do not use the whole domain name

These do not have much value if you have the domain name exclusively for yourself but they can save you a from a lot of trouble (and increase security) if several different applications share the same space.


The HTTP_REFERER problem

If your site uses the wonderful URL rewriting feature then you have one more thing to worry about. Every click to an external site will reveal the session id to it. It is not that the problem is in the PHP code, the URL rewriting code does not append session ids to absolute URLs. But, the browser will send the URL of the page to the external site in the HTTP_REFERER header.

Solving this problem requires some discipline. Instead of sending people to external sites directly, send them through a simple script. You also need to reference this script through an absolute URL to a

http://www.webkreator.com/redirect.php? ... google.com

My first version of the script looked like this:

Code: Select all

<? header('Location: ' . $HTTP_SERVER_VARS['QUERY_STRING']) ?>
But I found out that Netscape uses the URI of the original page (the one containing the SID) when you use redirection. Oh well, another way is to use the META refresh technique:

Code: Select all

<meta http-equiv="refresh" content="0; url=<? echo $HTTP_SERVER_VARS['QUERY_STRING']?>">
Be warned that this will completely hide the referrer information. If you want other sites to know that you are sending people their way, use the Javascript redirection technique instead.

Mark

Reproduced from somewhere, can't rememeber where

Posted: Fri Mar 05, 2004 11:25 pm
by lazy_yogi
Thanks for the detailed response Mark.
It was very helpful and informative.

I'm thinking of just using cookies so it's stored on the clients maching e and encrypting the cookie info. That way I don't have to bother asking the hosts to do anything.

Eli