Fake sessions?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Fake sessions?

Post by Chalks »

I've been using sessions for awhile mainly to pass error codes back and forth between pages. Now I'm actually using it to determine whether a user can access their personal information. I'm wondering if users could create fake session data. Is that possible? If so, how can I prevent it... any tutorials?

In particular, I have one page that loads based on whether the $_SESSION['logged'] value is true, and the content is based on $_SESSION['name'].


Thanks.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Fake sessions?

Post by jaoudestudios »

Yes sessions can be faked. If you google it there are loads of results. Php does have a response which is to generate a new session_id everytime a page is loaded.

Sessions are useful for the situation you are in, I can not see another way.

You could encode the session data! But thats another story.

Instead of sending TRUE, send the user_id, then when they come to a secure page check that id in the database to double check that the user exists if it does display the page, otherwise destroy the session and redirect them to the log in page.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Fake sessions?

Post by Mordred »

jaoudestudios wrote:Yes sessions can be faked. If you google it there are loads of results. Php does have a response which is to generate a new session_id everytime a page is loaded.
You seem to be mixing session_id theft with session data, and from then on what you say is nonsense. Do learn your terminology please.

@Chalks:

Session data is just a handy way to keep data on the server, and to "hide" the actual means of storage behind the interface of $_SESSION. Session storage can be implemented over the file system (the default implementation), over database, shared memory, pidgeons :), you name it.
Thus, there are two points of attack:
- Attack the underlying session storage (for example if you store sessions in a database, and you have a SQL injection hole that allows db modification, you can also modify session data)
- Attack the code that legitimately writes to the session data

Code: Select all

if (buggy_check()) $_SESSION['logged']=1; //subvert buggy_check() and you're in
A real-life example of the second can be seen in an adjacent topic: viewtopic.php?f=34&t=87141&p=480931#p480931
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Re: Fake sessions?

Post by Chalks »

Ah, thanks, that makes sense.
Mordred wrote:- Attack the underlying session storage (for example if you store sessions in a database, and you have a SQL injection hole that allows db modification, you can also modify session data)
Is there a way to find out how my sessions are being stored? I have no idea if it's going into a cookie, or is stored in a database, or simply exists in the 4th dimension. If stored in a cookie, could someone conceivably create a cookie that looks real to the server, but isn't?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Fake sessions?

Post by Mordred »

Most probably the default, i.e. in files in the session.savepath (variable in php.ini) directory.
http://bg.php.net/manual/en/function.se ... andler.php is the way to change the storage mechanism.

Sessions in cookies is a bit tricky, so don't try it at home :) Databases and files are the two most common scenarios, you shouldn't worry about others until you start developing huge applications with millions of users.
Post Reply