PHP Session Fixation

[loftystew]

Hi,

 

I'm currently testing out on how to implement session fixation using PHP. No worry, I'm not trying to hack, it's an assignment given by school to let us have a better understanding on how session fixation works.

 

Anyway, back to topic, I'm suppose to code a vulnerable website and do a session fixation on it. I've manage to successfully try out session fixation on the following code which is a single webpage (test.php) by doing http://localhost/test.php?PHPSESSID=1234 :

 

<?php

      session_start();

 

      if (!isset($_SESSION['visits'])) {

          $_SESSION['visits'] = 1;

      } else {

          $_SESSION['visits']++;

      }

 

      echo $_SESSION['visits'];

?>

 

However, when I tries to code a simple login website which contains 3 webpages [1 - the login form page (login.php), 2 - the validation page (validate.php), 3 - the member page (member.php)], I found that it is unable to pass the fixed session ID from one page to another when I do http://localhost/login.php?PHPSESSID=abc . In short, it seems to me that the server failed to register the session ID fixed by me and pass on to the next web pages.

 

The simple login website works like this: User enter login.php, after user submit the login form, the form is sent to validate.php for verification. If submitted user information is correct, it will stores the user name into $_SESSION['user'] from $_GET["user"]; and it will redirect the user to member.php which will then retrieve the username from $_SESSION['user'] and display it.

 

I've been thinking for a day but I still can't figure out the reason why it did not work.

 

Thanks

[trq]

Most php configurations are setup to use cookies only, hence passing a value through the url will have no effect.

[loftystew]

Most php configurations are setup to use cookies only, hence passing a value through the url will have no effect.

 

Does that means there is no way for me to implement a session fixation? Is it possible to setup php to accept value from url?

[trq]

Yeah, there's a setting within the php.ini. Not sure what its called exactly but take a look at the sessions section.

[Dânêl]

Yeah, there's a setting within the php.ini. Not sure what its called exactly but take a look at the sessions section.

 

Hi,

you have to search this PHP.ini settings:

session.use_only_cookie . it should be set to 0 to allow session ID in URL

[loftystew]

Yeah, there's a setting within the php.ini. Not sure what its called exactly but take a look at the sessions section.

 

Hi,

you have to search this PHP.ini settings:

session.use_only_cookie . it should be set to 0 to allow session ID in URL

 

First I would like to say thanks to all for helping me out.

 

Yea, I thought of that too, but it doesn't seems to be the problem. session.use_only_cookie in php.ini is set to 0 by default.

 

I tried using burp suite to intercept the traffic between my computer and the web server to see what's going on. It seems that even though I've explicitly set PHPSESSID=1234 in the URL, the web server (I'm using Apache BTW) seems to ignore the PHPSESSID in the URL when transferring from the main web page (the login form) to the other web pages and use its own generated session ID instead.

 

I tried to do session fixation using server generated ID, instead of setting my own ID, but it didn't work. I wonder what went wrong.

[Daniel0]

Try changing the value of the cookie.

[loftystew]

Try changing the value of the cookie.

 

As in? Using burp suite to manually change it?

[Daniel0]

Well, I use a Firebug plugin called Firecookie.

[loftystew]

Well, I use a Firebug plugin called Firecookie.

 

Well, changing the cookie manually works but I will have to change it myself manually each time the cookie is sent from one web page to another and if I don't change it, it will just return back to it's original session ID set by the server.

 

Changing Session ID of the cookie manually each time kind of defeat the purpose of session fixation isn't it?