Re: [PHP] session security issue
On Wed, Aug 15, 2001 at 10:52:33PM -0300, Christian Dechery wrote:
$HTTP_SERVER_VARS{SSL_SESSION_ID}
Another thing I found with phpinfo() is
$HTTP_SERVER_VARS{UNIQUE_ID}. I don't know (yet) was it is, but it
sounds usable, doesn't it?
sure it does... but first we need to know exactly what it is anyone?
Well I don't... but I _do_ know it's _really_ unique. It's never
the same. So actually I don't really know what to do with it.
Although probably at some time something will come up where one
would need it. I think.
To be short... FAIK it's exactly what's called: a unique ID.
--
* RzE:
--
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- H: +31 23 5516190
--
-- Stationsplein 82
-- 2011 LM HAARLEM
--
-- http://www.datalink.nl
--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
On Tue, Aug 14, 2001 at 02:32:03PM -0700, David Price wrote:
Sean,
That is a very interesting suggestion. How would you call that using PHP?
Thanks,
David Price
$HTTP_SERVER_VARS{SSL_SESSION_ID}
Another thing I found with phpinfo() is
$HTTP_SERVER_VARS{UNIQUE_ID}. I don't know (yet) was it is, but it
sounds usable, doesn't it?
--
* RzE:
--
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- H: +31 23 5516190
--
-- Stationsplein 82
-- 2011 LM HAARLEM
--
-- http://www.datalink.nl
--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
You need to check against a value that was registered as a session
variable. There is no use in checking if some SSL variable is set. Here's
a simplified version of my check_session function that I run at the top of
every page that requires a session to be established.
I also write to the session file on every click. This lets me know howmany
sessions are actually active. I have a session deletion script that runs
every minute to check the date of the session file, if it's older than a
defined time it will remove the session file.
The session deletion script is available at http://database.sf.net/
Any other ideas to make a session more secure?
function check_session() {
session_start();
if (session_is_registered(user_id)) {
return TRUE;
} else {
header(Location: login.php);
exit;
}
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] session security issue
I have pages that uses session for security that looks something like this:
?php
session_start();
if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}
more code...
?
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
wouldn't this be a security problem?
. Christian Dechery (lemming)
. http://www.tanamesa.com.br
. Gaita-L Owner / Web Developer
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
On Tue, Aug 14, 2001 at 08:42:22AM -0300, Christian Dechery wrote:
I have pages that uses session for security that looks something like this:
?php
session_start();
if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}
more code...
?
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
wouldn't this be a security problem?
Christian,
This can indeed be a security issue. Try using
$HTTP_SESSION_VARS{uid} instead. It's a saver solution. Then one
cannot just use ?uid=10 in order to fool you. At least, not in that
way.
--
* RzE:
--
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
-- H: +31 23 5516190
--
-- Stationsplein 82
-- 2011 LM HAARLEM
--
-- http://www.datalink.nl
--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
If you test $HTTP_SESSION_VARS[uid] instead, you'll know that it came
from a session and not from a GET variable.
- Tim
On 14 Aug 2001 08:42:22 -0300, Christian Dechery wrote:
I have pages that uses session for security that looks something like this:
?php
session_start();
if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}
more code...
?
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
I have pages that uses session for security that looks something like this:
?php
session_start();
if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}
more code...
?
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
wouldn't this be a security problem?
. Christian Dechery (lemming)
. http://www.tanamesa.com.br
. Gaita-L Owner / Web Developer
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] session security issue
Sean,
That is a very interesting suggestion. How would you call that using PHP?
Thanks,
David Price
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Sean C. McCarthy
Sent: Tuesday, August 14, 2001 6:12 AM
To: Christian Dechery
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] session security issue
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
I have pages that uses session for security that looks something like
this:
?php
session_start();
if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}
more code...
?
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
wouldn't this be a security problem?
. Christian Dechery (lemming)
. http://www.tanamesa.com.br
. Gaita-L Owner / Web Developer
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
