The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
A little while back I worked on my first logon page for a website, and all seemed to go well. However, checking the source today, when you fire up the logon page initially, after the
Page:
Yep, it'll make little difference changing the session name but even so PHPSESSID clearly announces what the variable is, and thus how your site might be vulnerable to attacks. Rename it to something else and theres at least the chance that the variable will be overlooked by some script/individual or whatever. Its one line of code to do it, what do you have to lose?
I thought about changing session name, but it seems a bit pointless... If the reason for changing it is security, the people who would be able to exploit any holes would very easily be able to check their cookies for the session name... Rendering the name change a bit pointless surely...?
$_SERVER["REQUEST_URI"] will give you the requesting URL.
If you're not accepting session id via the URL anymore, you may well find PHPSESSID in $_GET/$_POST/$_REQUEST too.
Also you should really change PHPSESSID with session_name to something a little less obvious.
If you're not accepting session id via the URL anymore, you may well find PHPSESSID in $_GET/$_POST/$_REQUEST too.
Also you should really change PHPSESSID with session_name to something a little less obvious.
Following on from this...
Is there a way to obtain the URL as it appears in the browser...? That way it would be possible to check if the user had entered a PHPSESSID as a variable in the URL, and let me display an error message if they had.
ie. if they'd entered:
www.mypage.com/logon.php?PHPSESSID=1234
then I'd check to see if PHPSESSID existed in the URL string and give an error message if it was present...
Had a quick browse on the web but canna find anything yet... I'm sure it must be possible though?
[EDIT] - Don't worry, just added a session_regenerate_id() straight after the session_start() to ensure that even if someone specifies a PHPSESSID in the URL, it's changed when they view the page.
Is there a way to obtain the URL as it appears in the browser...? That way it would be possible to check if the user had entered a PHPSESSID as a variable in the URL, and let me display an error message if they had.
ie. if they'd entered:
www.mypage.com/logon.php?PHPSESSID=1234
then I'd check to see if PHPSESSID existed in the URL string and give an error message if it was present...
Had a quick browse on the web but canna find anything yet... I'm sure it must be possible though?
[EDIT] - Don't worry, just added a session_regenerate_id() straight after the session_start() to ensure that even if someone specifies a PHPSESSID in the URL, it's changed when they view the page.
Sibs wrote:
> Does anyone know if this poses a security risk...? ie. could someone
> potentially 'steal' this session ID and then if the original user
> subsequently logs in, use that session ID to gain access to the login
> area...?
Yes it is a security risk. How much of one it is open to debate.
Easiest option is to just force PHP to maintain session data via cookies only. You can use ini_set to turn session.use_only_cookies on I think.
Even so, that isnt 100% fullproof. There are other ways to obtain the session id and theres nothing to stop people spoofing cookies either.
A better option is to a) make sure your session data contains nothing important, ie passwords and b) provide additional levels of authentication so a session id is essentially not enough to identify a user.
> Does anyone know if this poses a security risk...? ie. could someone
> potentially 'steal' this session ID and then if the original user
> subsequently logs in, use that session ID to gain access to the login
> area...?
Yes it is a security risk. How much of one it is open to debate.
Easiest option is to just force PHP to maintain session data via cookies only. You can use ini_set to turn session.use_only_cookies on I think.
Even so, that isnt 100% fullproof. There are other ways to obtain the session id and theres nothing to stop people spoofing cookies either.
A better option is to a) make sure your session data contains nothing important, ie passwords and b) provide additional levels of authentication so a session id is essentially not enough to identify a user.
Okay, main point is that the PHPSESSID is viewable to people, whether it's appended to the URL or visible in the source code...
Does anyone know if this poses a security risk...? ie. could someone potentially 'steal' this session ID and then if the original user subsequently logs in, use that session ID to gain access to the login area...?
Just wondering, as I have no idea what potential risks this poses or what steps could be taken to prevent any exploitation of it...
Chars.
Does anyone know if this poses a security risk...? ie. could someone potentially 'steal' this session ID and then if the original user subsequently logs in, use that session ID to gain access to the login area...?
Just wondering, as I have no idea what potential risks this poses or what steps could be taken to prevent any exploitation of it...
Chars.
Garin wrote:
> The bit in bold is the important part, bottom line PHP will add
> session ids to a form submission.
> Before you make assertions, doesnt hurt to look them up in the manual
> especially if you're contradicting something.
Damn, sorry. My bad. I checked in the manual before I posted and I missed that bit! Sorry.
> The bit in bold is the important part, bottom line PHP will add
> session ids to a form submission.
> Before you make assertions, doesnt hurt to look them up in the manual
> especially if you're contradicting something.
Damn, sorry. My bad. I checked in the manual before I posted and I missed that bit! Sorry.
Nimco wrote:
> PHP won't add a tag to a form automatically. It'll append the session
> ID to a URL, but not add it to a form.
From: http://uk.php.net/session
Session configuration option
url_rewriter.tags
url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src, form=fakeentry,fieldset=
The bit in bold is the important part, bottom line PHP will add session ids to a form submission.
Before you make assertions, doesnt hurt to look them up in the manual especially if you're contradicting something.
> PHP won't add a tag to a form automatically. It'll append the session
> ID to a URL, but not add it to a form.
From: http://uk.php.net/session
Session configuration option
url_rewriter.tags
url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src, form=fakeentry,fieldset=
The bit in bold is the important part, bottom line PHP will add session ids to a form submission.
Before you make assertions, doesnt hurt to look them up in the manual especially if you're contradicting something.
Garin wrote:
> Read his post again, as he said PHP does it. Default PHP behaviour
> is to add session ids to all GET/POST data when a session is started
> and an old one hasnt been detected.
PHP won't add a tag to a form automatically. It'll append the session ID to a URL, but not add it to a form.
> Read his post again, as he said PHP does it. Default PHP behaviour
> is to add session ids to all GET/POST data when a session is started
> and an old one hasnt been detected.
PHP won't add a tag to a form automatically. It'll append the session ID to a URL, but not add it to a form.
Nimco wrote:
> Why are you trying to post the PHPSESSID? You shouldn't need to
> because you can call it direct from PHP using:
Read his post again, as he said PHP does it. Default PHP behaviour is to add session ids to all GET/POST data when a session is started and an old one hasnt been detected.
> Why are you trying to post the PHPSESSID? You shouldn't need to
> because you can call it direct from PHP using:
Read his post again, as he said PHP does it. Default PHP behaviour is to add session ids to all GET/POST data when a session is started and an old one hasnt been detected.
Page: