Re: [PHP] session security issue
On Wed, Aug 15, 2001 at 10:52:33PM -0300, Christian Dechery wrote: > >$HTTP_SERVER_VARS{"SSL_SESSION_ID"} > > > >Another thing I found with phpinfo() is > >$HTTP_SERVER_VARS{"UNIQUE_ID"}. I don't know (yet) was it is, but it > >sounds usable, doesn't it? > > sure it does... but first we need to know exactly what it is anyone? Well I don't... but I _do_ know it's _really_ unique. It's never the same. So actually I don't really know what to do with it. Although probably at some time something will come up where one would need it. I think. To be short... FAIK it's exactly what's called: a unique ID. -- * R&zE: -- -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- H: +31 23 5516190 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- -- http://www.datalink.nl -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
You need to check against a value that was registered as a session variable. There is no use in checking if some SSL variable is set. Here's a simplified version of my check_session function that I run at the top of every page that requires a session to be established. I also write to the session file on every click. This lets me know howmany sessions are "actually" active. I have a session deletion script that runs every minute to check the date of the session file, if it's older than a defined time it will remove the session file. The session deletion script is available at http://database.sf.net/ Any other ideas to make a session more secure? function check_session() { session_start(); if (session_is_registered(user_id)) { return TRUE; } else { header("Location: login.php"); exit; } } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
On Tue, Aug 14, 2001 at 02:32:03PM -0700, David Price wrote: > Sean, > > That is a very interesting suggestion. How would you call that using PHP? > > Thanks, > > David Price $HTTP_SERVER_VARS{"SSL_SESSION_ID"} Another thing I found with phpinfo() is $HTTP_SERVER_VARS{"UNIQUE_ID"}. I don't know (yet) was it is, but it sounds usable, doesn't it? -- * R&zE: -- -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- H: +31 23 5516190 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- -- http://www.datalink.nl -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] session security issue
Sean, That is a very interesting suggestion. How would you call that using PHP? Thanks, David Price -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean C. McCarthy Sent: Tuesday, August 14, 2001 6:12 AM To: Christian Dechery Cc: [EMAIL PROTECTED] Subject: Re: [PHP] session security issue Hi, For security use SSL and get the SSLSession ID instead. This cannot be fooled since it is based in PK handshake and with simetric encryption. Sean C. McCarthy SCI, S.L. (www.sci-spain.com) Christian Dechery wrote: > > I have pages that uses session for security that looks something like this: > > session_start(); > > if( !isset($uid) ) > { > include("include/auth.inc.php"); > auth_user(); > } > > more code... > ?> > > so $uid tells me if the user is logged on or not... > > but what if somebody calls the script directly from the address bar like > this: http://server/script.php?uid=10 > > wouldn't this be a security problem? > > . Christian Dechery (lemming) > . http://www.tanamesa.com.br > . Gaita-L Owner / Web Developer > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
Hi, For security use SSL and get the SSLSession ID instead. This cannot be fooled since it is based in PK handshake and with simetric encryption. Sean C. McCarthy SCI, S.L. (www.sci-spain.com) Christian Dechery wrote: > > I have pages that uses session for security that looks something like this: > > session_start(); > > if( !isset($uid) ) > { > include("include/auth.inc.php"); > auth_user(); > } > > more code... > ?> > > so $uid tells me if the user is logged on or not... > > but what if somebody calls the script directly from the address bar like > this: http://server/script.php?uid=10 > > wouldn't this be a security problem? > > . Christian Dechery (lemming) > . http://www.tanamesa.com.br > . Gaita-L Owner / Web Developer > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
If you test $HTTP_SESSION_VARS["uid"] instead, you'll know that it came from a session and not from a GET variable. - Tim On 14 Aug 2001 08:42:22 -0300, Christian Dechery wrote: > I have pages that uses session for security that looks something like this: > >session_start(); > > if( !isset($uid) ) > { > include("include/auth.inc.php"); > auth_user(); > } > > more code... > ?> > > so $uid tells me if the user is logged on or not... > > but what if somebody calls the script directly from the address bar like > this: http://server/script.php?uid=10 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session security issue
On Tue, Aug 14, 2001 at 08:42:22AM -0300, Christian Dechery wrote: > I have pages that uses session for security that looks something like this: > >session_start(); > > if( !isset($uid) ) > { > include("include/auth.inc.php"); > auth_user(); > } > > more code... > ?> > > so $uid tells me if the user is logged on or not... > > but what if somebody calls the script directly from the address bar like > this: http://server/script.php?uid=10 > > wouldn't this be a security problem? Christian, This can indeed be a security issue. Try using $HTTP_SESSION_VARS{"uid"} instead. It's a saver solution. Then one cannot just use ?uid=10 in order to fool you. At least, not in that way. -- * R&zE: -- -- Renze Munnik -- DataLink BV -- -- E: [EMAIL PROTECTED] -- W: +31 23 5326162 -- F: +31 23 5322144 -- M: +31 6 21811143 -- H: +31 23 5516190 -- -- Stationsplein 82 -- 2011 LM HAARLEM -- -- http://www.datalink.nl -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]