Prevent session fixation

[php-beginner]

Hello everyone,

 

I am trying to use only cookies so that session fixation is not possible. Unfortunately I can still log in when I disable cookies in Internet Explorer.

 

Am I doing something wrong? Or do I misunderstand the concept?

 

This is my code:

 

<?php

class Session{

private $username;

public function createSession($username){
	$this->username = $username;

	ini_set("session.use_only_cookies", 1);

	session_start();
	$_SESSION['username'] = $this->username;
	return $this->username;
}

}

?>

[will35010]

This code is using sessions and not cookies.

 

Here is a tutorial on cookies. http://w3schools.com/PHP/php_cookies.asp

[php-beginner]

I thaught that "use only cookies" should prevent that the session id is filled in the url but filled in a cookie?

[btherl]

Do you want to make it so your users cannot log in if cookies are disabled?

[SamT_]

Session fixation is caused by an attacker gaining access to Session ID and either placing it in a cookie or URL. Due to the nature of sessions (i.e. some piece of data always has to be in control of the user), we can eliminate reasonable risk by taking certain precautions, but we cannot eliminate it completely. PHP sessions are vulnerable to session fixation, so you need to add some checking. Just because you disable the SID being passed through the URL doesn't mean you are completely protected.

 

What I do is create a fingerprint, md5() the IP address (or partial if you're doing partial validation), User agent string, and some random salt unknown to the user. Store this fingerprint in a session var and check it against the fingerprint generated at the next visit. If they do not match, kill the session, generate a new ID, and set everything to default (for a guest browsing).

 

Now, enough with my security rant, regarding your question about logging in and cookies disabled, is the SID being passed in the URL? If it isn't, then either your code is doing it's job or you've not actually disabled cookies.

[php-beginner]

Do you want to make it so your users cannot log in if cookies are disabled?

 

Yes.

 

Now, enough with my security rant, regarding your question about logging in and cookies disabled, is the SID being passed in the URL? If it isn't, then either your code is doing it's job or you've not actually disabled cookies.

 

The SID is not being passed in the url when my cookies are enabled. When I disable cookies, I can still log in.

 

I have done this in Internet Explorer:

 

Internet options -> Privacy -> Advanced -> block all cookies

[gizmola]

Strictly speaking, there are two concerns here that are being discussed.  Session fixation and session hijacking.    Session Fixation is basically one approach used to attempt to hijack a session. 

 

This is an old, but still highly relevant discussion of Session Fixation-> http://shiflett.org/articles/session-fixation

 

In terms of the settings, check these.  These are the defaults with php5.3

 

session.use_trans_sid 0

session.use_only_cookies 1

[php-beginner]

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies?

 

My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

[gizmola]

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies?

 

My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

 

Yes it should, but you also need to check that the form is not passing a hidden parameter. 

 

With that said, your assumption that your browser is not accepting cookies might be invalid.  If you're not seeing the url param, or hidden form parameters, and you're still seeing sessions in operation, then I'd question your assumptions.  For testing, I would use firebug to analyze what is going on.

[php-beginner]

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies?

 

My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

 

Yes it should, but you also need to check that the form is not passing a hidden parameter. 

 

With that said, your assumption that your browser is not accepting cookies might be invalid.  If you're not seeing the url param, or hidden form parameters, and you're still seeing sessions in operation, then I'd question your assumptions.  For testing, I would use firebug to analyze what is going on.

 

You're right.

 

But, I don't get it. This time is disabled cookies in FireFox and again it's not working.

I checked this with Firebug and I see that the header is send.

I see the SESSID, password and username.

 

p.s. I checked with Wireshark if I can see my password in plain text because i saw that in Firebug. Well I can but I have encrypt this with a salt + password. This means that my code is not correct or can't I send this encrypted other then SSL?

 

Thanks so far!

[php-beginner]

I have also tried to let Firefox ask me when I wanted to store the cookie. When I refuse the cookie, the headers are still sent.

 

So it has to be something in my code. Right?

[gizmola]

How are you looking at the headers?  Keep in mind that there is a request (the browser) and a response (the server).  The server will send the cookie.  It's only an issue if the response has cookie data in it.  With that said, there is no problem if you're not getting the url parameter or hidden form elements.

 

As to your previous question-- yes passwords will be sent in cleartext.  That is the nature of HTTP.  So yes, the only way to insure that the data is secure end to end is to use https://.

[php-beginner]

How are you looking at the headers?  Keep in mind that there is a request (the browser) and a response (the server).  The server will send the cookie.  It's only an issue if the response has cookie data in it.  With that said, there is no problem if you're not getting the url parameter or hidden form elements.

 

That means that I don't have to use the function "use only cookies" right? Because there's only a session in the cookie (which is not real cookie data?). So this won't prevent the SID through the url.

 

So what do I need to prevent the SID through the url?

[gizmola]

No, you are right about use only cookies.  That is suppossed to constrain it so that the session id is only sent in a cookie, which is what you want.  Otherwise,  it will allow for the phpsessid parameter to be sent as a url parameter.  This is to fight session fixation, where someone "fixates" a session id, they know to a user who is logged in, by getting that user to pass the phpsessid url parameter via some xss, or just having them click on a link.  If i can get you to do that and the server accepts it,  I can now hijack your session.

 

The reason we have been talking about cookies, is because I thought you wanted to verify that this feature was working by trying to force your browser not to accept cookies, and insure that your site would not login the person via a phpsessid url parameter.

 

So you definately want to have:

 

session.use_only_cookies = 1

 

Set in the php.ini.  I'm not confident however that you can modify this setting at runtime.

 

 

 

 

[php-beginner]

The reason we have been talking about cookies, is because I thought you wanted to verify that this feature was working by trying to force your browser not to accept cookies, and insure that your site would not login the person via a phpsessid url parameter.

 

Yes, but not accepting cookies still let me login Is it because it is not real cookie data (what you mentioned before)?

 

I try to understand and test it before I'll put anything online.

 

 

 

Thankyou so far.