My Users keep getting logged in as others.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

a proxy/privacy system may be removing that information.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

So, this pretty much ruins my authentication system?

If I checked the value of the session_id() (deleted), against the value stored in the database (deleted), then any user whos values have been deleted by a proxy system or whatever.. would have the same credientials on both ends (deleted), thus it really wouldn't matter what their ID is.. they could be logged in as anyone who has their credentials set to "deleted".

Proposed solution?

I have also ran chkrootkit on the server and the output appears normal.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

session_regenerate_id()?

You could, potentially, set the URL transport of the session ID. As for making sure users don't hijack others, without a cookie to help, I don't really know other than requesting them to log in again before doing anything near sensitive. I like to implement login requirements when moving up in permission requirements... such as when entering an administrative area, attempting to edit profiles, sometimes to make posts/update/create things..
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Hmm. Seems that would be annoying in a highly dynamic environment :P I'm trying to look for the reason that it's being set to deleted. I didn't realize anything (including proxies) could change session information that's on MY server. And I don't think 17 people would be using the same proxy server. Maybe 17 users would be using a proxy, but they wouldn't all set values to "deleted".
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The proxies aren't changing information on your server. You're changing your own information by accepting the data authoritatively. Remember, the cookies are all sent in the headers when the request is made.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Good point. But the only time I'm storing (or updating) the session id in the database is on this line:

Code: Select all

mysql_query("
UPDATE
	`users`
SET
	`user_last_visit` = '".time()."',
	`lastlogin` = '".time()."',
	`session` = '".session_id()."',
	`lastloginip` = '{$_SERVER['REMOTE_ADDR']}'
WHERE
	`id` = '{$array['id']}'
") or die(mysql_error());
Unless the session_id() function grabs the info from the cookie, then it wouldn't be possible to set the database value to 'deleted'.

[edit]the session is generated and stored on this same page, so there is no new page request (cookie headers being sent) before the id is stored in the db.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

scottayy wrote:Unless the session_id() function grabs the info from the cookie, then it wouldn't be possible to set the database value to 'deleted'.
That's exactly what it is doing. That's how the session is kept track of across multiple pages when the URL doesn't contain the information it needs. When neither exist, it will generate a new ID on its own.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Wow, I didn't know a cookie value could be retrieved on the same page it's set. I know it can't by scripts.. without special configuration?

So now the question comes down to why the cookie values are being set to "deleted". And not only that, some cookie values are accepted as is, and other are set to deleted. Weird.

Maybe on an unrelated note.. I notice the cookie values that are being kept are the ones that have slashes added to them. My PHP is set to add slashes, and those don't get set to deleted. Coincidence?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I've spoken to two of the users directly. Both are using windows XP home, IE.. and as far as they're *aware of* aren't using a proxy.

I also asked them to tell me their privacy settings for cookies. One was 'medium'. The other was 'medium high'. I tried playing with my own browser settings and it didn't produce the "deleted" effect.

I.... am running out of ideas as to why the cookie values are being set to "deleted". I read through lots & lots of session manual pages, googled for a little bit, and still nothing. :P Does anyone know of any programs, browser plugins, etc that would be causing this?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Actually, I believe this is a bug in PHP.

http://bugs.php.net/bug.php?id=33526

I was informed of this by a fellow programmer who had experienced the same problem. I imagine upgrading PHP should do the trick. :?:
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Wow, 4 posts in a row by me. :-D That's okay, this one is informational. It seems the only way around this is a hack. I'll share in case someone is searching for this topic.

Code: Select all

if((session_id() == 'deleted') || ($_COOKIE[session_name()] == 'deleted'))
{
   header('Location: error.php');
   exit;
}
The error.php tells the user to make sure their computer clock is set to the right date, and to clear their cookies. That will fix the problem and the user will be able to log in again.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply