Jump to content

Prevent session fixation


php-beginner

Recommended Posts

Hello everyone,

 

I am trying to use only cookies so that session fixation is not possible. Unfortunately I can still log in when I disable cookies in Internet Explorer.

 

Am I doing something wrong? Or do I misunderstand the concept?

 

This is my code:

 

<?php

class Session{

private $username;

public function createSession($username){
	$this->username = $username;

	ini_set("session.use_only_cookies", 1);

	session_start();
	$_SESSION['username'] = $this->username;
	return $this->username;
}

}

?>

Link to comment
Share on other sites

Session fixation is caused by an attacker gaining access to Session ID and either placing it in a cookie or URL. Due to the nature of sessions (i.e. some piece of data always has to be in control of the user), we can eliminate reasonable risk by taking certain precautions, but we cannot eliminate it completely. PHP sessions are vulnerable to session fixation, so you need to add some checking. Just because you disable the SID being passed through the URL doesn't mean you are completely protected.

 

What I do is create a fingerprint, md5() the IP address (or partial if you're doing partial validation), User agent string, and some random salt unknown to the user. Store this fingerprint in a session var and check it against the fingerprint generated at the next visit. If they do not match, kill the session, generate a new ID, and set everything to default (for a guest browsing).

 

Now, enough with my security rant, regarding your question about logging in and cookies disabled, is the SID being passed in the URL? If it isn't, then either your code is doing it's job or you've not actually disabled cookies.

Link to comment
Share on other sites

Do you want to make it so your users cannot log in if cookies are disabled?

 

Yes.

 

Now, enough with my security rant, regarding your question about logging in and cookies disabled, is the SID being passed in the URL? If it isn't, then either your code is doing it's job or you've not actually disabled cookies.

 

The SID is not being passed in the url when my cookies are enabled. When I disable cookies, I can still log in.

 

I have done this in Internet Explorer:

 

Internet options -> Privacy -> Advanced -> block all cookies

Link to comment
Share on other sites

Strictly speaking, there are two concerns here that are being discussed.  Session fixation and session hijacking.    Session Fixation is basically one approach used to attempt to hijack a session. 

 

This is an old, but still highly relevant discussion of Session Fixation-> http://shiflett.org/articles/session-fixation

 

In terms of the settings, check these.  These are the defaults with php5.3

 

session.use_trans_sid 0

session.use_only_cookies 1

Link to comment
Share on other sites

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies?

 

My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

Link to comment
Share on other sites

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies?

 

My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

 

Yes it should, but you also need to check that the form is not passing a hidden parameter. 

 

With that said, your assumption that your browser is not accepting cookies might be invalid.  If you're not seeing the url param, or hidden form parameters, and you're still seeing sessions in operation, then I'd question your assumptions.  For testing, I would use firebug to analyze what is going on.

Link to comment
Share on other sites

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies?

 

My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

 

Yes it should, but you also need to check that the form is not passing a hidden parameter. 

 

With that said, your assumption that your browser is not accepting cookies might be invalid.  If you're not seeing the url param, or hidden form parameters, and you're still seeing sessions in operation, then I'd question your assumptions.  For testing, I would use firebug to analyze what is going on.

 

You're right.

 

But, I don't get it. This time is disabled cookies in FireFox and again it's not working.

I checked this with Firebug and I see that the header is send.

I see the SESSID, password and username.

 

p.s. I checked with Wireshark if I can see my password in plain text because i saw that in Firebug. Well I can but I have encrypt this with a salt + password. This means that my code is not correct or can't I send this encrypted other then SSL?

 

Thanks so far!

Link to comment
Share on other sites

How are you looking at the headers?  Keep in mind that there is a request (the browser) and a response (the server).  The server will send the cookie.  It's only an issue if the response has cookie data in it.  With that said, there is no problem if you're not getting the url parameter or hidden form elements.

 

As to your previous question-- yes passwords will be sent in cleartext.  That is the nature of HTTP.  So yes, the only way to insure that the data is secure end to end is to use https://.

Link to comment
Share on other sites

How are you looking at the headers?  Keep in mind that there is a request (the browser) and a response (the server).  The server will send the cookie.  It's only an issue if the response has cookie data in it.  With that said, there is no problem if you're not getting the url parameter or hidden form elements.

 

That means that I don't have to use the function "use only cookies" right? Because there's only a session in the cookie (which is not real cookie data?). So this won't prevent the SID through the url.

 

So what do I need to prevent the SID through the url?

Link to comment
Share on other sites

No, you are right about use only cookies.  That is suppossed to constrain it so that the session id is only sent in a cookie, which is what you want.  Otherwise,  it will allow for the phpsessid parameter to be sent as a url parameter.  This is to fight session fixation, where someone "fixates" a session id, they know to a user who is logged in, by getting that user to pass the phpsessid url parameter via some xss, or just having them click on a link.  If i can get you to do that and the server accepts it,  I can now hijack your session.

 

The reason we have been talking about cookies, is because I thought you wanted to verify that this feature was working by trying to force your browser not to accept cookies, and insure that your site would not login the person via a phpsessid url parameter.

 

So you definately want to have:

 

session.use_only_cookies = 1

 

Set in the php.ini.  I'm not confident however that you can modify this setting at runtime.

 

 

 

 

Link to comment
Share on other sites

The reason we have been talking about cookies, is because I thought you wanted to verify that this feature was working by trying to force your browser not to accept cookies, and insure that your site would not login the person via a phpsessid url parameter.

 

Yes, but not accepting cookies still let me login :) Is it because it is not real cookie data (what you mentioned before)?

 

I try to understand and test it before I'll put anything online.

 

 

 

Thankyou so far.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.