session_name("MyCn") against impersonation?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

session_name("MyCn") against impersonation?

Post by Jaxolotl »

1 - is it a good practice to call session_name("MyCustomName"); before session_start() to avoid session impersonation by query string?

By adding this to my proyect (to the other security staff) I found that obviously is no possible to "hijack" anotherone session by adding PHPSESSID=whatever to the q-string

2 - What I doesn't understand is that adding MyCustomName=whatever aint work, why is it?

Sorry, forget about item 2, I disable 3 days ago session.use_trans_sid on my php configuration

user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Re: session_name("MyCn") against impersonation?

Post by user___ »

I do not find those two tips protective against session impersonation. Read that article, they suggest some protection mechanisms http://php-mag.net/itr/online_artikel/p ... d,114.html
I recommend you to have a look at this http://www.php.net/manual/en/function.s ... ate-id.php
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session_name("MyCn") against impersonation?

Post by kaisellgren »

Jaxolotl wrote:is it a good practice to call session_name("MyCustomName"); before session_start() to avoid session impersonation by query string?
It is easy for an attacker to find out this "custom name" (cookies and query strings) and then attack. The only situation where it may give some good is the case where the potential cracker will never have a session setuped for him. In this case, it is still theoretically (or even practically in worst case) to perform Session Fixation attacks. No, it is not a good practise.
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

Re: session_name("MyCn") against impersonation?

Post by Jaxolotl »

thank you both for your help.
user___ wrote:I do not find those two tips protective against session impersonation. Read that article, they suggest some protection mechanisms http://php-mag.net/itr/online_artikel/p ... d,114.html
I recommend you to have a look at this http://www.php.net/manual/en/function.s ... ate-id.php
I'm working on correcting session fixation issues this days. The artichle http://shiflett.org/articles/the-truth-about-sessions was very usefull, and yes I use session_regenerate_id(). I also analyze vBulletin login system too.

One thing I don't know he reason why is that when session.use_trans_sid is disables it was still possible to fixate the session on that server using the default PHPSESSID but when I change it to a custom session name on the same configuration it wasn't possible anymore.

Any explanation?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session_name("MyCn") against impersonation?

Post by kaisellgren »

If you disable session.use_trans_id, Session Fixation attacks may still occur. This directive has nothing to do with being able (not) to change session identifiers by passing PHPSESSID=x into the URL. Even if you rename your "PHPSESSID" into something else, it won't help against Session Fixation attacks.
Post Reply