PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Storing Data in the Client
An introduction to the ADOdb class library, Part 2
In Case You Missed It...The Week of January 30, 2006
In Case You Missed It... The Week of May 9, 2005
Reading RSS feeds in PHP: Part 2

RE: [phplib] Security Risk: Session ID in server logs From: Vibol Hou (vibol <email protected>)
Date: 01/28/01

Next message: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
Previous message: Eric Mings: "[phplib] Current integration with php4 sessions"
In reply to: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
Next in thread: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
Reply: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

If you extend the PHPLIB session class to track IPs also, you won't have
this problem since sessions should be automatically destroyed if IPs don't
match.

-- Vibol Hou http://khmer.cc

-----Original Message----- From: Michael A. Alderete [mailto:alderete <email protected>] Sent: Saturday, January 27, 2001 2:37 PM To: phplib <email protected> Subject: [phplib] Security Risk: Session ID in server logs

PHPLIB uses GET mode for a user's initial access of a PHPLIB site, and puts the session ID into the URL of the first page a user accesses. If the user has cookies enabled, PHPLIB will then switch to cookie mode, and not put the session ID in URLs anymore. (Of course, if they continue in GET mode, it continues to be used.)

However, even that initial exposure of the session ID is written into the server log (at least it is in Apache). Here's an example from my own server (session ID and IP fudged a tiny bit):

216.11.222.333 - - [27/Jan/2001:13:42:57 -0800] \ "GET /index.html?angst_sess=6309f1c1c6f8adfb9e366b1 HTTP/1.0" \ 200 3769 "-" "Mozilla/3.0 (PowerPC [en] Mac OS 9.1; Sun)"

This is a security risk, because a crafty user could use that information to take over someone's session.

My question is, is there a way to disable the writing of the session ID into server logs, such as Apache's?

I know how to change the permissions on the log file, and prevent them from being world-readable. But that's just a band-aid; I'd rather eliminate the security risk entirely, and not have the session ID showing up in my logs.

Thanks!

Michael --

Visit MARS! <http://www.michaelandrochellessite.com/> --- Michael A. Alderete <mailto:alderete <email protected>> voice: (415) 861-5758

--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>

Next message: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
Previous message: Eric Mings: "[phplib] Current integration with php4 sessions"
In reply to: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
Next in thread: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
Reply: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]