Re: [phplib] Security Risk: Session ID in server logs From: Jeroen Laarhoven (jeroen <email protected>)
Date: 01/28/01

> If you extend the PHPLIB session class to track IPs also, you won't have
> this problem since sessions should be automatically destroyed if IPs don't
> match.

We've had that discussion before: see list history (IPs are not unique,
etc.)

> However, even that initial exposure of the session ID is written into the
> server log (at least it is in Apache). Here's an example from my own
server
> (session ID and IP fudged a tiny bit):
...
> This is a security risk, because a crafty user could use that information
> to take over someone's session.

Remember that session IDs are NOT user IDs! And they are 'logged in' only
temporary.

Greetings
Jeroen.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Jeroen Laarhoven, Zwolle, Netherlands
business: jeroen <email protected>, www.webbridge.nl
private: jeroen <email protected>, www.zwolnet.com
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

----- Original Message -----
From: "Vibol Hou" <vibol <email protected>>
To: "Michael A. Alderete" <alderete <email protected>>;
<phplib <email protected>>
Sent: Sunday, January 28, 2001 11:04 AM
Subject: RE: [phplib] Security Risk: Session ID in server logs

> Hi,
>
> If you extend the PHPLIB session class to track IPs also, you won't have
> this problem since sessions should be automatically destroyed if IPs don't
> match.
>
> --
> Vibol Hou
> http://khmer.cc
>
> -----Original Message-----
> From: Michael A. Alderete [mailto:alderete <email protected>]
> Sent: Saturday, January 27, 2001 2:37 PM
> To: phplib <email protected>
> Subject: [phplib] Security Risk: Session ID in server logs
>
>
> PHPLIB uses GET mode for a user's initial access of a PHPLIB site, and
puts
> the session ID into the URL of the first page a user accesses. If the user
> has cookies enabled, PHPLIB will then switch to cookie mode, and not put
> the session ID in URLs anymore. (Of course, if they continue in GET mode,
> it continues to be used.)
>
> However, even that initial exposure of the session ID is written into the
> server log (at least it is in Apache). Here's an example from my own
server
> (session ID and IP fudged a tiny bit):
>
> 216.11.222.333 - - [27/Jan/2001:13:42:57 -0800] \
> "GET /index.html?angst_sess=6309f1c1c6f8adfb9e366b1 HTTP/1.0" \
> 200 3769 "-" "Mozilla/3.0 (PowerPC [en] Mac OS 9.1; Sun)"
>
> This is a security risk, because a crafty user could use that information
> to take over someone's session.
>
> My question is, is there a way to disable the writing of the session ID
> into server logs, such as Apache's?
>
> I know how to change the permissions on the log file, and prevent them
from
> being world-readable. But that's just a band-aid; I'd rather eliminate the
> security risk entirely, and not have the session ID showing up in my logs.
>
> Thanks!
>
> Michael
> --
>
>
> Visit MARS! <http://www.michaelandrochellessite.com/>
> ---
> Michael A. Alderete
> <mailto:alderete <email protected>> voice: (415) 861-5758
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>