Re: [phplib] mod_rewrite for sessionids From: Mike Green (Mike.Green <email protected>)
Date: 08/26/00

Michael,

I for one need a fix for this quickly. I activated a site earlier this month
for which I cannot use cookies to track sessions. The site is, therefore,
vulnerable to the problem you describe.

But the reason I cannot use cookies is because the user leaves the site to use
his credit card to pay for a subscription at a "merchant account" and then is
returned to the site by the "merchant account" with the session appended as a
query string when the credit card has been processed. Cookies didn't work. And
in this case your system wouldn't either -- unless $HTTP_REFERER could include
the merchant account's site, also. I tried using post to pass the session id to
and from the merchant account and then re-establish the session using cookies
when the user returned. But I couldn't get that to work. And I decided that,
since some would turn off cookies anyway, I shouldn't worry more about that
approach. But I have been worrying about the problem you mention...

Cheers!

Mike Green

Michael Chaney wrote:

> I am going to come up with a patch soon that will mostly solve this problem.
> What I'll do is add a new property to the session class called
> "check_referer_on_get". If that is set to "yes" or "1", a session id that
> comes in as a get variable will be ignored if $HTTP_REFERER isn't a page on
> the current site, forcing a new session to be created.
>
> I was bitten badly by this problem earlier this year. A client
> (www.patsgold.com) decided to give away a free CD on their site. Numerous
> people posted the link to the page on newsgroups and web sites, complete
> with a session id. One session had over 900 people register on it before I
> shut it down (I literally put code in session.inc to erase the session id if
> it was in a list of known posted id's). To make matters worse, I made the
> form automatically fill in a user's information, so everybody who went to
> that page saw someone else's name, address, and phone number. It was a
> nightmare.
>
> I fixed it by hard coding "bad" sessions to be ignored, forced the user to
> enter the password again before doing a registration or order (credit card
> information is never shown, thankfully), and added "If you're not
> first_name_of_login, click here.", which forces a new session to be created.
>
> For those of you who think that this is terrible, note that if you turn off
> cookies, go to cdnow.com, login, and send the url to a friend, they'll be
> logged in as you if they go to that url within a couple of hours. This
> problem isn't limited to phplib, it's just a side effect of using get
> variables to track sessions.
>
> For those of you who think that we should just watch ip addresses, watch
> someone use your site via AOL sometime :)
>
> Michael
> --
> Michael Darrin Chaney
> mdchaney <email protected>
> http://www.michaelchaney.com

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>