[SOLVED] PHP Sessions working from Site to Site Security Issue

[dprichard]

I have two sites on the same server using the same code but using two different databases.  I noticed while testing that if I am logged in with the one site, I can get into administrative pages on the other site without logging in.  Since they use the same codes all the same session variables are there so it is letting me in.  Is there a way to tell PHP not to let it go from site to site or should I make a custom variable and include it in the permissions for each site?  I would appreciate any guidance on the best way to secure this obvious problem.

[discomatt]

Use session_set_cookie_params() and set stricter path/domain definitions. This will only be one the surface though ( http://www.nirsoft.net/utils/internet_explorer_cookies_view.html ). The real trick here is having some sort of distinction between the two sites. Perhaps not using the same session save path ( session_save_path() ) so sessions can't be passed between sites.

[dprichard]

what if I add a company session and check that with my regular sessions I am checking for access to each page?  Will that be secure enough if I make sure each page is looking for it.

 

As for the session_set_cookie_params(), I call that at the top of each page before my session_start()?  Then it only works on that domain? 

[discomatt]

Well, cookies can be modified locally, so the path and domain can be modified. It would work on the surface, and prevent conflicts, but would not technically close the security hole.

 

Adding a 'company' variable to the session and verifying it would work well along with set_cookie_params()

[PFMaBiSmAd]

If the sites are using different domains, the only way it could be working as described is if the session id is being passed on the end of the URL (and you should disable the session.use_trans_sid setting to stop this, but just doing so won't solve the security problem.) If this is the case, nothing you do with the session cookie settings will help.

 

The universal solution (if the sites are using different or the same domain) that takes the minimum changes would be to set the session_save_path, as discomatt posted above, for each site to be for a unique folder within that site's disk space.

[dprichard]

Thank you both so much.  That seems to have worked perfectly.  Are there any other security concerns I should be aware of with storing the sessions in a folder within the site versus its default location?

[PFMaBiSmAd]

You should use a "private" folder, one that is outside of your document root folder (below or closer to the root of the disk) or if that option is not available, then you should have a .htaccess file in the folder that prevents all http/https access to the files (in case someone guesses the folder name and attempts to browse to the files to see what is in them.)

[dprichard]

It is actually a windows server running php.  Right now it is in the main site folder with read and write permissions, but doesn't allow browsing.  So they would have to guess the folder name and the filename.  You think that is secure?