The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
If you're not accepting session id via the URL anymore, you may well find PHPSESSID in $_GET/$_POST/$_REQUEST too.
Also you should really change PHPSESSID with session_name to something a little less obvious.
Is there a way to obtain the URL as it appears in the browser...? That way it would be possible to check if the user had entered a PHPSESSID as a variable in the URL, and let me display an error message if they had.
ie. if they'd entered:
www.mypage.com/logon.php?PHPSESSID=1234
then I'd check to see if PHPSESSID existed in the URL string and give an error message if it was present...
Had a quick browse on the web but canna find anything yet... I'm sure it must be possible though?
[EDIT] - Don't worry, just added a session_regenerate_id() straight after the session_start() to ensure that even if someone specifies a PHPSESSID in the URL, it's changed when they view the page.
> Does anyone know if this poses a security risk...? ie. could someone
> potentially 'steal' this session ID and then if the original user
> subsequently logs in, use that session ID to gain access to the login
> area...?
Yes it is a security risk. How much of one it is open to debate.
Easiest option is to just force PHP to maintain session data via cookies only. You can use ini_set to turn session.use_only_cookies on I think.
Even so, that isnt 100% fullproof. There are other ways to obtain the session id and theres nothing to stop people spoofing cookies either.
A better option is to a) make sure your session data contains nothing important, ie passwords and b) provide additional levels of authentication so a session id is essentially not enough to identify a user.
Does anyone know if this poses a security risk...? ie. could someone potentially 'steal' this session ID and then if the original user subsequently logs in, use that session ID to gain access to the login area...?
Just wondering, as I have no idea what potential risks this poses or what steps could be taken to prevent any exploitation of it...
Chars.
> The bit in bold is the important part, bottom line PHP will add
> session ids to a form submission.
> Before you make assertions, doesnt hurt to look them up in the manual
> especially if you're contradicting something.
Damn, sorry. My bad. I checked in the manual before I posted and I missed that bit! Sorry.
> PHP won't add a tag to a form automatically. It'll append the session
> ID to a URL, but not add it to a form.
From: http://uk.php.net/session
Session configuration option
url_rewriter.tags
url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src, form=fakeentry,fieldset=
The bit in bold is the important part, bottom line PHP will add session ids to a form submission.
Before you make assertions, doesnt hurt to look them up in the manual especially if you're contradicting something.
> Read his post again, as he said PHP does it. Default PHP behaviour
> is to add session ids to all GET/POST data when a session is started
> and an old one hasnt been detected.
PHP won't add a tag to a form automatically. It'll append the session ID to a URL, but not add it to a form.
> Why are you trying to post the PHPSESSID? You shouldn't need to
> because you can call it direct from PHP using:
Read his post again, as he said PHP does it. Default PHP behaviour is to add session ids to all GET/POST data when a session is started and an old one hasnt been detected.