[PHP] sessions security (no problems just question)
Hi, I have been reading up on the old discussions on this list as i was very busy for the past few daysand i saw a very intresting topic regarding sessions and security. I really didnt understand some of the things you guys wrote on hi-jacking a session...do you have any examples of this? How can someone else have the session info of another user? after looking at the session id i see that its a long garbled string and even if someone is a good guesser...isnt that a very very very long shot? or am i missing something? I looked up on google and i didnt see anything major... I dont mean to drag this topic up all over again so if any of you have any URLs that you think would shed some light on this matterplease do post it to me. This concerns me a lot as I have a very sessions heavy site...which is also a kind of paysite/freesite. Cheers, -Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions security (no problems just question)
On Jun 14, 2003, Ryan A claimed that: |Hi, |I have been reading up on the old discussions on this list as i was very |busy for the past few daysand i saw a very intresting topic regarding |sessions and security. | |I really didnt understand some of the things you guys wrote on hi-jacking a |session...do you have any examples of this? |How can someone else have the session info of another user? |after looking at the session id i see that its a long garbled string and |even if someone is a good guesser...isnt that a very very very long shot? or |am i missing something? | |I looked up on google and i didnt see anything major... | |I dont mean to drag this topic up all over again so if any of you have any |URLs that you think would shed some light on this matterplease do post |it to me. | |This concerns me a lot as I have a very sessions heavy site...which is |also a kind of paysite/freesite. | |Cheers, |-Ryan From http://www.php.net/manual/en/print/ref.session.php There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users. Another way is to monitor session.save_path of another domain on a server that you have access to. Using some screen scraping techniques it might not be hard to extract passwords or (using something similar to Amazon's 'one-click' purchasing) to buy a bunch of crap using someone else's money. -- Registered Linux user #304026. lynx -source http://jharris.rallycentral.us/jharris.asc | gpg --import Key fingerprint = 52FC 20BD 025A 8C13 5FC6 68C6 9CF9 46C2 B089 0FED Responses to this message should conform to RFC 1855. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions security (no problems just question)
JH are associated with a specific id. First, URLs carrying session ids. If JH you link to an external site, the URL including the session id might be JH stored in the external site's referrer logs. Second, a more active JH attacker might listen to your network traffic. If it is not encrypted, JH session ids will flow in plain text over the network. The solution here is JH to implement SSL on your server and make it mandatory for users. Also I want to note. If sids are accessible via http_referer, there is a way to execute php scripts on behalf of a user. For example, user clicks a link to some php script which will grab sid from referer and then outputs a html with redirect to another script (for example to set a forwarding filter or etc). Since sid is right and also script was called from user's PC, this is a quite bad thing, but unfortunately this still exists on several web based e-mails. So, be careful in using only session mechanisms provided by PHP. It's quite insecure. -- Best regards, Martchukov Anton aka VHmailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
