sessions, SIDs, and php 4.3
This is a discussion on sessions, SIDs, and php 4.3 within the PHP General forums, part of the PHP Programming Forums category; Hi, all -- We were using php 4.2.3 on our first server (FreeBSD-4.5) and apparently exploited, quite ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-13-2003
|
|||
|
|||
sessions, SIDs, and php 4.3
Hi, all --
We were using php 4.2.3 on our first server (FreeBSD-4.5) and apparently exploited, quite unknowingly, a bug. We also have register_globals on (we'll work more on that later). Then we added another server (FBSD 4.8 and php 4.3.4rc1) and tried our code and the page passwords didn't work. Arrgh! So now I'm trying to get my head around how to properly write session code, and I know that I should use session_start() but then always reference $_SESSION instead of session_register() something or so. Good enough, but now I'm having cookie trouble. If I run http://test.locations.org/sessions/extracting.php with cookies on, then upon reload $_SESSION[pw] has a value, which is expected. If cookies are off, though, it does not, and I do not see the SID in the URL even after the click. So I click the other link, wherein I specified the SID, and it finally works -- but I thought that PHP was supposed to format my URLs the right way for me, and even moreso didn't think that I needed the ? because the SID constant is supposed to be "smart". What else do I have to cram in my already-exploding head to get this right? :-) TIA & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/s/jQGb7uCXufRwARAjvgAKCEL1tXvScybIupl4bgQhqsv8JBXwCg 2iHh 1y7JxAgR6X6NT5KlQsVQy70= =TEAH -----END PGP SIGNATURE----- 
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <davidtg-php@justpickone.org> wrote:
> If I run > > http://test.locations.org/sessions/extracting.php > > with cookies on, then upon reload $_SESSION[pw] has a value, which is > expected. If cookies are off, though, it does not, and I do not see the > SID in the URL even after the click. So I click the other link, wherein > I specified the SID, and it finally works -- but I thought that PHP was > supposed to format my URLs the right way for me, and even moreso didn't > think that I needed the ? because the SID constant is supposed to be > "smart". Check your php.ini and see if you can find this: session.use_trans_sid = 1 You want that to be 1 in order for PHP to do this for you. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al -
...and then Chris Shiflett said... % % --- David T-G <davidtg-php@justpickone.org> wrote: % > % > I specified the SID, and it finally works -- but I thought that PHP was % > supposed to format my URLs the right way for me, and even moreso didn't % > think that I needed the ? because the SID constant is supposed to be % > "smart". % % Check your php.ini and see if you can find this: % % session.use_trans_sid = 1 Yep. bash-2.05a$ grep trans_sid /usr/local/etc/php.ini session.use_trans_sid = 1 bash-2.05a$ lynx -dump http://test.locations.org/sessions/extracting.php | grep -i trans_sid session.use_trans_sid On On (of course I added a phpinfo() call to the script for the test.) % % You want that to be 1 in order for PHP to do this for you. That I do, but it doesn't seem to matter too much! % % Hope that helps. Thanks anyway. % % Chris HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/s/tWGb7uCXufRwARAk4UAKDm0HZP/3I0IH725RUBVh5/BdmJOwCgwVgX 3NdBJereBU0yahUAIYdLq0w= =5o3t -----END PGP SIGNATURE-----
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <davidtg-php@justpickone.org> wrote:
> % Check your php.ini and see if you can find this: > % > % session.use_trans_sid = 1 > > Yep. OK, well PHP should add the session identifier to the URL for every link on the first page. This is because PHP can't tell until the next request whether the browser is accepting cookies. You can think of PHP's logic like this: 1. If the user requests a page with no session identifier at all, start a new session. On the page sent to the user, rewrite all URLs to include the session identifier. 2. If the user requests a page with the session identifier in the URL but without a cookie, assume the user's browser did not accept the cookie. Rewrite all URLs to include the session identifier. 3. If the user requests a page with the session identifier in the URL and in a cookie, this is the user's second request, and the user's browser accepts cookies. No rewriting is necessary. 4. If the user requests a page with the session identifier only in a cookie, this is at least the user's third visit, and the user's browser accepts cookies. No rewriting is necessary. So, based on this, I would recommend testing from scratch. Make sure you have no cookies. Restart the browser if necessary. Then, visit the first page (where you first have your session_start() call) and view source. If PHP is doing the session.use_trans_sid stuff correctly, your URLs should all be rewritten to include the session identifier. This would be my first step in trying to debug the situation. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al --
...and then Chris Shiflett said... % % --- David T-G <davidtg-php@justpickone.org> wrote: % > % % > % session.use_trans_sid = 1 % > % > Yep. % % OK, well PHP should add the session identifier to the URL for every link OK. % on the first page. This is because PHP can't tell until the next request That makes sense. % whether the browser is accepting cookies. You can think of PHP's logic % like this: % % 1. If the user requests a page with no session identifier at all, start a % new session. On the page sent to the user, rewrite all URLs to include the % session identifier. [snip] OK. That's what I thought. % % So, based on this, I would recommend testing from scratch. Make sure you % have no cookies. Restart the browser if necessary. Then, visit the first I restart frequently; it's lynx and it's easy :-) % page (where you first have your session_start() call) and view source. If Right. BTW, the same URL with .phps will let you see the PHP source. % PHP is doing the session.use_trans_sid stuff correctly, your URLs should % all be rewritten to include the session identifier. This would be my first % step in trying to debug the situation. It does not. I get ... Click <a href='http://test.locations.org/sessions/extracting.php'>here</a> to r +eturn.<br> Click <a href='http://test.locations.org/sessions/extracting.php?extract=3b44c2 +04f36f5fb5db176e33e45defbb'>here</a> for a SID.<br> A button: <form method='post'><input type="hidden" name="extract" value="3b44c2 +04f36f5fb5db176e33e45defbb" /><input type='submit'></form><br> and the first link obviously does not have a SID. % % Hope that helps. Still hangin'. Anyone else have any ideas? % % Chris Thanks again & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/s/5cGb7uCXufRwARAqKIAJ0TTjpnC9Nmo7MYBxoZqUVgWGRAAACd EnJS 21fuOMz/Q2R+uVxBO3ygIoM= =VbU1 -----END PGP SIGNATURE-----
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <davidtg-php@justpickone.org> wrote:
> BTW, the same URL with .phps will let you see the PHP source. Well, hopefully only because you have a duplicate file (or a link) by that name. :-) Also, I meant view source as in the HTML output, not the PHP. > % PHP is doing the session.use_trans_sid stuff correctly, your URLs > % should all be rewritten to include the session identifier. This > % would be my first step in trying to debug the situation. > > It does not. Well, then you problem is found. Why this is happening is still a mystery (to me), but the session.use_trans_sid magic is not happening. If you look at the output of phpinfo() on this exact same script, is the local value of session.use_trans_sid still 1? Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al --
...and then Chris Shiflett said... % % --- David T-G <davidtg-php@justpickone.org> wrote: % > BTW, the same URL with .phps will let you see the PHP source. % % Well, hopefully only because you have a duplicate file (or a link) by that % name. :-) Yep. Created just for this exercise :-) % % Also, I meant view source as in the HTML output, not the PHP. I figured as much, as noted farther down. % % > % should all be rewritten to include the session identifier. This % > % would be my first step in trying to debug the situation. % > % > It does not. % % Well, then you problem is found. Why this is happening is still a mystery OK, but I know I have a problem and what I need is a solution :-) % (to me), but the session.use_trans_sid magic is not happening. If you look % at the output of phpinfo() on this exact same script, is the local value % of session.use_trans_sid still 1? Yep. See a previous list reply. % % Chris Thanks & TIA & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/tABXGb7uCXufRwARAiOuAJ0amnSQAfW49CIS632VhpaD1BgYcg CfcP45 sIU7dIHMpRi4edO1b14faX0= =UPBW -----END PGP SIGNATURE-----
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <davidtg-php@justpickone.org> wrote:
> OK, but I know I have a problem and what I need is a solution :-) Yes, I understand. :-) > > If you look at the output of phpinfo() on this exact same script, > > is the local value of session.use_trans_sid still 1? > > Yep. See a previous list reply. OK, well that is very strange. Can you tell us the output of the following sample code? <? session_start(); $_SESSION['foo'] = 'bar'; ?> <p> session.use_trans_sid [<? echo ini_get('session.use_trans_sid'); ?>] </p> <p> <a href="<? echo $_SERVER['PHP_SELF']; ?>">Link</a> </p> Maybe this will reveal something. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al --
...and then Chris Shiflett said... % % --- David T-G <davidtg-php@justpickone.org> wrote: % > OK, but I know I have a problem and what I need is a solution :-) % % Yes, I understand. :-) *grin* % % > > If you look at the output of phpinfo() on this exact same script, % > > is the local value of session.use_trans_sid still 1? % > % > Yep. See a previous list reply. % % OK, well that is very strange. Can you tell us the output of the following % sample code? ... % Maybe this will reveal something. It sure did -- I see the SID! Let me go back over my code and see where I've screwed something up. % % Chris Thanks & HAND & stay tuned :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/tAmRGb7uCXufRwARAhucAJ4hCh4y4W9JOJU/vViijlMOKFTz7gCfVk6c P57fV4YR97EfL6EW/yHqUjs= =Bg8e -----END PGP SIGNATURE-----
|
|
11-13-2003
|
|||
|
|||
|
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al --
...and then David T-G said... % % Let me go back over my code and see where I've screwed something up. That didn't take too long. I was using SCRIPT_URI instead of PHP_SELF. Ah. I guess PHP_SELF is my friend and none other. Good enough! So we have - use session_start() as usual - use $_SESSION for everything (setting and unsetting) - don't bother with session_write_close - use PHP_SELF - do NOT hand-code SID with PHP_SELF :-) as the Golden Rules for sessions. Along with the wonderful world of validating and filtering input that I'm seeing in other threads, is that all there is to The One True Way of Session Handling? % % % % % Chris Thanks a *bunch* for your patience & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/tArEGb7uCXufRwARAtlkAJ9VafAcrAoRVuyBlElHjMh+wglu6Q CfdOT1 x/m3ONgvaqqdSlE1Dyn7rXs= =5Ohf -----END PGP SIGNATURE-----
|
Linear Mode
