PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Creating MS Word documents on the fly
Switchbox
In Case You Missed It...The Week of March 19, 2006
Visual Verification in PHP
GIS Mapping with PHP; Part Two

Re: [phplib] Security Risk: Session ID in server logs From: Padraic Renaghan (list <email protected>)
Date: 01/27/01

Next message: Eric Mings: "[phplib] Current integration with php4 sessions"
Previous message: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
In reply to: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
Next in thread: Vibol Hou: "RE: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Michael A. Alderete <alderete <email protected>> [Jan 27 2:37pm]:
> PHPLIB uses GET mode for a user's initial access of a PHPLIB site, and puts
> the session ID into the URL of the first page a user accesses. If the user
> has cookies enabled, PHPLIB will then switch to cookie mode, and not put
> the session ID in URLs anymore. (Of course, if they continue in GET mode,
> it continues to be used.)
>
> However, even that initial exposure of the session ID is written into the
> server log (at least it is in Apache). Here's an example from my own server
> (session ID and IP fudged a tiny bit):
>
> 216.11.222.333 - - [27/Jan/2001:13:42:57 -0800] \
> "GET /index.html?angst_sess=6309f1c1c6f8adfb9e366b1 HTTP/1.0" \
> 200 3769 "-" "Mozilla/3.0 (PowerPC [en] Mac OS 9.1; Sun)"
>
> This is a security risk, because a crafty user could use that information
> to take over someone's session.

This is a known issue with PHPLIB and many methods of session control
for that matter. See the list archives for discussion around it.

> My question is, is there a way to disable the writing of the session ID
> into server logs, such as Apache's?

I don't think so. Apache is writing the REFERER header to the log file.
You can tell your specific Apache installation to not record the
REFERER if you like (see the Apache documentation), but you won't be able to
tell any proxy servers or cache servers that are in between you and and
the web browser to stop recording the REFERER.

If your sessions are that important, then you might consider requiring users
to use cookies. Then you can disable get as the fallback session mode, and
then PHPLIB won't do the redirect.

> I know how to change the permissions on the log file, and prevent them from
> being world-readable. But that's just a band-aid; I'd rather eliminate the
> security risk entirely, and not have the session ID showing up in my logs.

Your logs are easy. See the Apache documentation. The real security risk is
in the log files of other web servers, proxy servers, and cache servers.

-- 
Padraic Renaghan /pad-rik ren-a-han/
padraic <email protected>
AOL IM(gaim): PadraicRenaghan
http://renaghan.com/pcr/
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

Next message: Eric Mings: "[phplib] Current integration with php4 sessions"
Previous message: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
In reply to: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
Next in thread: Vibol Hou: "RE: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]