PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

In Case You Missed It...The Week of July 18, 2005
PHP and Classes
Switchbox
In Case You Missed It...The Month of March 2007
Timing Script Execution

[phplib] Security Risk: Session ID in server logs From: Michael A. Alderete (alderete <email protected>)
Date: 01/27/01

Next message: Padraic Renaghan: "Re: [phplib] Security Risk: Session ID in server logs"
Previous message: Emre Bastuz: "[phplib] Combining tpl_form with templates ?"
Next in thread: Padraic Renaghan: "Re: [phplib] Security Risk: Session ID in server logs"
Reply: Padraic Renaghan: "Re: [phplib] Security Risk: Session ID in server logs"
Reply: Vibol Hou: "RE: [phplib] Security Risk: Session ID in server logs"
Reply: abdel: "[phplib] who to get all table"
Reply: John Sutton: "Re: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

PHPLIB uses GET mode for a user's initial access of a PHPLIB site, and puts
the session ID into the URL of the first page a user accesses. If the user
has cookies enabled, PHPLIB will then switch to cookie mode, and not put
the session ID in URLs anymore. (Of course, if they continue in GET mode,
it continues to be used.)

However, even that initial exposure of the session ID is written into the
server log (at least it is in Apache). Here's an example from my own server
(session ID and IP fudged a tiny bit):

  216.11.222.333 - - [27/Jan/2001:13:42:57 -0800] \
  "GET /index.html?angst_sess=6309f1c1c6f8adfb9e366b1 HTTP/1.0" \
  200 3769 "-" "Mozilla/3.0 (PowerPC [en] Mac OS 9.1; Sun)"

This is a security risk, because a crafty user could use that information
to take over someone's session.

My question is, is there a way to disable the writing of the session ID
into server logs, such as Apache's?

I know how to change the permissions on the log file, and prevent them from
being world-readable. But that's just a band-aid; I'd rather eliminate the
security risk entirely, and not have the session ID showing up in my logs.

Thanks!

Michael

-- 
Visit MARS! <http://www.michaelandrochellessite.com/>
---
Michael A. Alderete
<mailto:alderete <email protected>>          voice: (415) 861-5758
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

Next message: Padraic Renaghan: "Re: [phplib] Security Risk: Session ID in server logs"
Previous message: Emre Bastuz: "[phplib] Combining tpl_form with templates ?"
Next in thread: Padraic Renaghan: "Re: [phplib] Security Risk: Session ID in server logs"
Reply: Padraic Renaghan: "Re: [phplib] Security Risk: Session ID in server logs"
Reply: Vibol Hou: "RE: [phplib] Security Risk: Session ID in server logs"
Reply: abdel: "[phplib] who to get all table"
Reply: John Sutton: "Re: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]