RE: [PHP] ignoring client supplied session data
> What I do on my pages is perhaps a convoluted way of doing it but it > works. I set a username and password session variables. Every time the > page loads the script verifies the username and password are correct. If > not, they don't get to see the rest. This, in my mind, pervents someone > from supplying a key variable like $_session['logged_in']. This way they > have to know the username and password. But users can't supply session variables. So if your script sets $_SESSION['logged_in'], then only your script can change it's value. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ignoring client supplied session data
> I'm not worried about them using the query string for malicious purposes- > I > have register_globals off... I'm worried about someone messing with their > cookie and sedding authorized to true- that _will_ change my $_SESSION > variable, unless I can find some way to ignore cookies, which brings us > back > to my original question- how do i ignore all client input, _especially_ > cookies??? Okay, you're confused. The only thing stored in a cookie with sessions is the session id. That relates to a file or database record where the actual data is stored. This session id is made so it's random and very hard to guess. So they can modify it all they want, odds are very good they'll never hit another active session id (otherwise sessions would be useless). So, $_SESSION[] is data that's only stored on your server, $_GET, $_POST, and $_COOKIE is data that's coming from the user and shouldn't be trusted. If you have your own server, $_SESSION is safe. On a virtual server that's shared with other people, other people's scripts on the same server could modify your session files. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ignoring client supplied session data
on 28/11/02 9:22 AM, Evan Nemerson ([EMAIL PROTECTED]) wrote: > I'm not worried about them using the query string for malicious purposes- I > have register_globals off... I'm worried about someone messing with their > cookie and sedding authorized to true- that _will_ change my $_SESSION > variable, unless I can find some way to ignore cookies, which brings us back > to my original question- how do i ignore all client input, _especially_ > cookies??? Turn register globals off (as you have). Then NEVER pull any data out of the $_COOKIES array, and you're now "ignoring" cookies :) Perhaps a further step is to call something like unset($_COOKIES) at the top of every script... but I'm not sure how unset() works with the super global arrays. Justin French http://Indent.com.au Web Development & Graphic Design -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ignoring client supplied session data
I know I'm late in on this thread but Ignoring cookies is easy - just don't set them and don't use any data in $_COOKIE[]... or am I missing your point? $_COOKIE[] data should be treated with far more caution than $_SESSION[] i.e. it should be treated as hostile data. If you really have to recognise users coming back to your site after their session has timed out then store the bare minimum in the cookie e.g. an encrypted User ID. You can then use that to look up their information in a database table and deal with their profile accordingly. Users can switch off cookie support at any time or delete/tamper with cookies so don't make your code reliant on the stuff stored in them... In effect it is up to you what you save and process from persistent cookies... HTH Rich -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not worried about them using the query string for malicious purposes- I have register_globals off... I'm worried about someone messing with their cookie and sedding authorized to true- that _will_ change my $_SESSION variable, unless I can find some way to ignore cookies, which brings us back to my original question- how do i ignore all client input, _especially_ cookies?? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ignoring client supplied session data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm not worried about them using the query string for malicious purposes- I have register_globals off... I'm worried about someone messing with their cookie and sedding authorized to true- that _will_ change my $_SESSION variable, unless I can find some way to ignore cookies, which brings us back to my original question- how do i ignore all client input, _especially_ cookies??? On Wednesday 27 November 2002 01:28 pm, you wrote: > At 22:17 27.11.2002, Van Andel, Robert said: > [snip] > > >On the other hand, I use only one query, searching for the username. I > > had experimented with other methods but did not find anything that I felt > > gave me great security. Using a session variable that says the person is > > logged in can be placed into a query string therefore bypassing the > > authentication process > > [snip] > > That's the main issue why register_globals is off by default since 4.2. If > you don't use register_globals, your $_SESSION array is safe from > intruders; only your script can set it from within your session. If any > malicious guy passes a query variable ?$_SESSION['authorized']=true, this > will only show up in the $_GET array, nowhere else. A print_r() of $_GET > with this query string gives: > > $_GET = Array ( > [$_SESSION] = Array ( > ['authorized'] = 1 > ) > ) > > You might want to check out > > http://www.php.net/manual/en/security.registerglobals.php > > to read about the security issues involved. Basically having > register_globals set to on allows an arbitrary user to implant variables of > their choice into PHP, making any script more than unsafe. Having it > switched off allows YOU to control the data that you work with - an > absolute MUST unless you're begging for trouble, IMHO. - -- The public have an insatiable curiosity to know everything. Except what is worth knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their demands. - -Oscar Wilde -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95UXI/rncFku1MdIRAgv/AJoDF1LfkUksKCUKvIniEqgXeBQPQgCaAvWI 1xOcGGd1wWdYu6P9mYtjOlc= =Dv1o -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ignoring client supplied session data
I will look into it. I still consider my self a newbie in the process having picked up a book back in February and learning to do it. I haven't gotten into using things like $_SESSION[] and similar with posting forms. Thanks. Robbert van Andel === Network Operator NW Regional Operations Center Charter Communications ROC Phone: 866-311-6646 Desk Phone: 360-828-6727 email: DL NW ROC === -Original Message- From: Ernest E Vogelsinger [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 1:28 PM To: Van Andel, Robert Cc: Evan Nemerson; [EMAIL PROTECTED] Subject: RE: [PHP] ignoring client supplied session data At 22:17 27.11.2002, Van Andel, Robert said: [snip] >On the other hand, I use only one query, searching for the username. I had >experimented with other methods but did not find anything that I felt gave >me great security. Using a session variable that says the person is logged >in can be placed into a query string therefore bypassing the authentication >process [snip] That's the main issue why register_globals is off by default since 4.2. If you don't use register_globals, your $_SESSION array is safe from intruders; only your script can set it from within your session. If any malicious guy passes a query variable ?$_SESSION['authorized']=true, this will only show up in the $_GET array, nowhere else. A print_r() of $_GET with this query string gives: $_GET = Array ( [$_SESSION] = Array ( ['authorized'] = 1 ) ) You might want to check out http://www.php.net/manual/en/security.registerglobals.php to read about the security issues involved. Basically having register_globals set to on allows an arbitrary user to implant variables of their choice into PHP, making any script more than unsafe. Having it switched off allows YOU to control the data that you work with - an absolute MUST unless you're begging for trouble, IMHO. -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ignoring client supplied session data
At 22:17 27.11.2002, Van Andel, Robert said: [snip] >On the other hand, I use only one query, searching for the username. I had >experimented with other methods but did not find anything that I felt gave >me great security. Using a session variable that says the person is logged >in can be placed into a query string therefore bypassing the authentication >process [snip] That's the main issue why register_globals is off by default since 4.2. If you don't use register_globals, your $_SESSION array is safe from intruders; only your script can set it from within your session. If any malicious guy passes a query variable ?$_SESSION['authorized']=true, this will only show up in the $_GET array, nowhere else. A print_r() of $_GET with this query string gives: $_GET = Array ( [$_SESSION] = Array ( ['authorized'] = 1 ) ) You might want to check out http://www.php.net/manual/en/security.registerglobals.php to read about the security issues involved. Basically having register_globals set to on allows an arbitrary user to implant variables of their choice into PHP, making any script more than unsafe. Having it switched off allows YOU to control the data that you work with - an absolute MUST unless you're begging for trouble, IMHO. -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ignoring client supplied session data
On the other hand, I use only one query, searching for the username. I had experimented with other methods but did not find anything that I felt gave me great security. Using a session variable that says the person is logged in can be placed into a query string therefore bypassing the authentication process Robbert van Andel -Original Message- From: Evan Nemerson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 12:59 PM To: Van Andel, Robert; [EMAIL PROTECTED] Subject: Re: [PHP] ignoring client supplied session data -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was thinking about doing that, but I was hoping to avoid superfluous database queries. It is my fallback method, but i _really_ want to use sessions, but limit them to server-side modification. On Wednesday 27 November 2002 12:51 pm, Van Andel, Robert wrote: > What I do on my pages is perhaps a convoluted way of doing it but it works. > I set a username and password session variables. Every time the page loads > the script verifies the username and password are correct. If not, they > don't get to see the rest. This, in my mind, pervents someone from > supplying a key variable like $_session['logged_in']. This way they have > to know the username and password. > > Robbert van Andel > > > -Original Message- > From: Evan Nemerson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 27, 2002 12:39 PM > To: [EMAIL PROTECTED] > Subject: [PHP] ignoring client supplied session data > > > I'm setting up a site using sessions right now, and I was just wondering if > there is a way to ignore anything from the client side- I want them to POST > a username and password, from there all data should be handled on the > server. > > I'm already using the query string to avoid cookies, but I want to make > sure that if the user _does_ have cookies on, any change in the data will > be ignored by the server. Any suggestions? > > Basically, I think it would be a lot more efficient for me to set a > _SESSION['logged_in'] variable once than query the database for every page, > but I don't know if it would be secure or not- I don't want someone setting > the logged_in variable in their cookie, then getting full access to the > site... > > > Thanks, > Evan - -- If anyone can show me, and prove to me, that I am wrong in thought or deed, I will gladly change. I seek the truth, hich never yet hurt anybody. It is only persistence in delusion and ignorance which does harm. - -Marcus Aurelius -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95TIp/rncFku1MdIRAgGdAKCQCNMUL+OuTomXQH07zr6tjn7cUwCcDMrU Ucup8rpk4c3jS2w+5Ej6yNo= =el8E -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ignoring client supplied session data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was thinking about doing that, but I was hoping to avoid superfluous database queries. It is my fallback method, but i _really_ want to use sessions, but limit them to server-side modification. On Wednesday 27 November 2002 12:51 pm, Van Andel, Robert wrote: > What I do on my pages is perhaps a convoluted way of doing it but it works. > I set a username and password session variables. Every time the page loads > the script verifies the username and password are correct. If not, they > don't get to see the rest. This, in my mind, pervents someone from > supplying a key variable like $_session['logged_in']. This way they have > to know the username and password. > > Robbert van Andel > > > -Original Message- > From: Evan Nemerson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 27, 2002 12:39 PM > To: [EMAIL PROTECTED] > Subject: [PHP] ignoring client supplied session data > > > I'm setting up a site using sessions right now, and I was just wondering if > there is a way to ignore anything from the client side- I want them to POST > a username and password, from there all data should be handled on the > server. > > I'm already using the query string to avoid cookies, but I want to make > sure that if the user _does_ have cookies on, any change in the data will > be ignored by the server. Any suggestions? > > Basically, I think it would be a lot more efficient for me to set a > _SESSION['logged_in'] variable once than query the database for every page, > but I don't know if it would be secure or not- I don't want someone setting > the logged_in variable in their cookie, then getting full access to the > site... > > > Thanks, > Evan - -- If anyone can show me, and prove to me, that I am wrong in thought or deed, I will gladly change. I seek the truth, hich never yet hurt anybody. It is only persistence in delusion and ignorance which does harm. - -Marcus Aurelius -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95TIp/rncFku1MdIRAgGdAKCQCNMUL+OuTomXQH07zr6tjn7cUwCcDMrU Ucup8rpk4c3jS2w+5Ej6yNo= =el8E -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] ignoring client supplied session data
What I do on my pages is perhaps a convoluted way of doing it but it works. I set a username and password session variables. Every time the page loads the script verifies the username and password are correct. If not, they don't get to see the rest. This, in my mind, pervents someone from supplying a key variable like $_session['logged_in']. This way they have to know the username and password. Robbert van Andel -Original Message- From: Evan Nemerson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 12:39 PM To: [EMAIL PROTECTED] Subject: [PHP] ignoring client supplied session data -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm setting up a site using sessions right now, and I was just wondering if there is a way to ignore anything from the client side- I want them to POST a username and password, from there all data should be handled on the server. I'm already using the query string to avoid cookies, but I want to make sure that if the user _does_ have cookies on, any change in the data will be ignored by the server. Any suggestions? Basically, I think it would be a lot more efficient for me to set a _SESSION['logged_in'] variable once than query the database for every page, but I don't know if it would be secure or not- I don't want someone setting the logged_in variable in their cookie, then getting full access to the site... Thanks, Evan - -- If you would be a real seeker after truth, you must at least once in your life doubt, as far as possible, all things. - -Rene Descartes -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95S1W/rncFku1MdIRAqdUAJ478Q5xFn7vDDE7RFXUI1aQnaZWBACgmN55 VNdAnVIliDD6eNwRm3R2SMQ= =61VE -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php