session.cookie_secure Not Working As Expected

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

session.cookie_secure Not Working As Expected

Post by mecha_godzilla »

Hi,

The application I am currently working on is *not* allowed to be connected to over HTTP so the script has to redirect the user to use an HTTPS connection instead.

My problem is that the same session ID value is automatically being used for both connections - my understanding of the way PHP works is that if session.cookie_secure = 1 then it should not send cookies over insecure connections or reuse cookies when switching from HTTP to HTTPS; if I look at the cookie sent over HTTP in my browser it says "Send for: encrypted connections only" but sends it anyway.

I just wrote the following test script, with an explanation of its behavior included below:

Code: Select all

session_start();
$sessionID = session_id();
echo $sessionID;
1. If I call the HTTP first version a cookie is set, and each I time I refresh the page the session ID changes.
2. If I then call the HTTPS version the session ID *doesn't* change, and persists between page reloads.
3. If I switch back to the HTTP version again the session ID changes, and the behaviour is as for step #1.

I'm not sure if there's some kind of "gotcha" that I'm missing, but only the session ID persistence in HTTPS mode makes sense. Maybe I'm confusing the concept of *setting* a cookie and *sending* it, but if the server is sending the cookie in cleartext with HTTP and is then reusing that value for the HTTPS session, there would seemingly be a security issue there.

The value for session.cookie_secure is being set in the main php.ini file, but I've also tried using session_set_cookie_params() and the behaviour was the same, and the value is set according to the output from phpinfo().

Thanks in advance,

Mecha Godzilla

P.S. I just searched the forums and found that I asked this exact question about 3 years ago and used a workaround on that occasion, but a definitive answer would be nice this time :mrgreen:
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: session.cookie_secure Not Working As Expected

Post by requinix »

mecha_godzilla wrote:my understanding of the way PHP works is that if session.cookie_secure = 1 then it should not send cookies over insecure connections or reuse cookies when switching from HTTP to HTTPS
A Secure cookie means that the browser should not send it over insecure channels. It does not mean that the browser should ignore any instructions to set that cookie.

Take a look at RFC 6265. With emphasis,
The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a
secure channel
(typically HTTP over Transport Layer Security (TLS)
[RFC2818]).

Although seemingly useful for protecting cookies from active network
attackers, the Secure attribute protects only the cookie's
confidentiality. An active network attacker can overwrite Secure
cookies from an insecure channel, disrupting their integrity (see
Section 8.6 for more details).
As your steps went,
1. Your server set the cookie. The browser then did not send it during the requests and thus you get a new ID every time.
2. With the new page the browser sends the cookie value it had. The fact that it was set previously over an insecure connection is irrelevant: the flag governs only when it is sent.
3. As soon as you switch, the cookie will not be sent and you'll get new IDs every time.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: session.cookie_secure Not Working As Expected

Post by mecha_godzilla »

Thanks - I think that makes sense :)

I'm still slightly confused by the issue with the HTTP-to-HTTPS switchover - if the server has sent a cookie to my browser over HTTP, it would presumably be possible for someone to packet-sniff that traffic and retrieve the cookie. Although I understand the point you're making that the browser will only send the same cookie if an HTTPS connection is made next, an attacker already has the session ID by that point and could exploit that information if the user then logged-in (assuming the session ID was the only means of validating the user) and the application didn't regenerate the session ID immediately afterwards.

Is that correct? I think the point I'm trying to make is either that the cookie shouldn't be set for HTTP connections at all (which was the basis of my workaround) or the server shouldn't be sending a cookie to the browser in plaintext that will be reused for an HTTPS connection.

Thanks again for your help,

M_G
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: session.cookie_secure Not Working As Expected

Post by requinix »

Very true. That's why if a cookie needs to be secure then it should not be sent insecurely. However there are some circumstances where accidentally setting it isn't a problem: if you redirect to HTTPS but happen to set a cookie at the same time, regenerating the ID on the secure side is okay (since there's nothing contained in that other session yet).
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: session.cookie_secure Not Working As Expected

Post by mecha_godzilla »

requinix wrote:Very true. That's why if a cookie needs to be secure then it should not be sent insecurely.
Ok, I like the sound of that. I think I can get away with using my original workaround, but I hadn't considered regenerating the cookie immediately after the redirection, so thanks for the suggestion.

Thanks again for your help. I think I've learned something this evening, although I have a sneaking suspicion that the effort I've expended will be inversely proportional to the results :lol:

M_G
Post Reply