Re: [users@httpd] Odd session cookies

Fri, 07 Sep 2018 06:13:18 -0700 

It looks like someone trying to guess existing cookies and retrieve session
information for existing sessions. Based on the cookie format, I am
guessing the sessions are actually controlled by PHP - you can add some
code to log IP address and cookie combinations and see if there is a
patterns.

I am pretty sure sess_rfc1867-tests-post is a cookie name from the PHP test
suite. The other examples you gave look like what might happen if you set a
custom session handler and didn't add a unique value for each session.

If you are worried about actual session hijacking, store the client IP
address in the session and don't let other IPs use it and/or consider an
application firewall that can detect these things (no specific
recommendation).

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Fri, Sep 7, 2018, 1:17 AM John <john.ili...@iliffe.ca> wrote:

> Beginning last Sunday (2 September) I have been finding several oddly named
> session cookies each day on my server.  The normal Apache session cookies
> have
> names like "sess_d50280ded90f1dbd48fcfd5fc77baa77".  These new ones have
> names
> like:
>
> sess_mycustomsession
> sess_sessionidhere
>
>
> The content seems strange too, although so far I haven't found anything
> important in one of the.  The owner name is often mine, although some have
> "php-fpm" as the file owner.
>
> Here is an example:
>
> cookie name:  sess_rfc1867-tests-post
>
> cookie content:
>
>
> upload_progress_rfc1867_sid_only_cookie_2.php|a:5:{s:10:"start_time";i:153591608
>
> 5;s:14:"content_length";i:603;s:15:"bytes_processed";i:603;s:4:"done";b:1;s:5:"f
>
> iles";a:2:{i:0;a:7:{s:10:"field_name";s:5:"file1";s:4:"name";s:9:"file1.txt";s:8
>
> :"tmp_name";s:14:"/tmp/phpQWrbXC";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_tim
>
> e";i:1535916085;s:15:"bytes_processed";i:1;}i:1;a:7:{s:10:"field_name";s:5:"file
>
> 2";s:4:"name";s:9:"file2.txt";s:8:"tmp_name";s:14:"/tmp/phpSoCWFv";s:5:"error";i
>
> :0;s:4:"done";b:1;s:10:"start_time";i:1535916085;s:15:"bytes_processed";i:1;}}}
>
> Does anyone have any idea what these are and if I have some sort of a
> compromise
> to the server going on?
>
> Thanks in advance.
>
> John
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Reply via email to