 |
 |
 |
 |
|
|
Date: 01/30/01
- Next message: John Sutton: "Re: [phplib] PHPLib and frames examples?"
- Previous message: A.C.N.S. Information and News: "Re: [phplib] PHPLib and frames examples?"
- In reply to: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
- Next in thread: A.C.N.S. Information and News: "Re: [phplib] Security Risk: Session ID in server logs"
- Reply: A.C.N.S. Information and News: "Re: [phplib] Security Risk: Session ID in server logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We've "solved" this problem by overriding release_token in session.inc:
var $fallback_page = ""; ## If in fallback mode show this page first
var $mode_test_id = "modetest"; ## Used to determine whether we need
## to use fallback mode.
function release_token(){
global $HTTP_COOKIE_VARS, $HTTP_GET_VARS,
$HTTP_HOST, $HTTPS, $PHP_SELF, $QUERY_STRING;
if ( isset($this->fallback_mode)
&& ( "get" == $this->fallback_mode )
&& ( "cookie" == $this->mode )
&& ( ! isset($HTTP_COOKIE_VARS[$this->name]) ) ) {
if ( isset($HTTP_GET_VARS[$this->name]) ) {
$this->mode = $this->fallback_mode;
} else {
if( isset($HTTPS) && $HTTPS == 'on' ){
## You will need to fix suexec as well, if you use Apache and CGI PHP
$PROTOCOL='https';
} else {
$PROTOCOL='http';
}
header("Status: 302 Moved Temporarily");
if ( isset($HTTP_GET_VARS[$this->mode_test_id]) ) {
$this->mode = $this->fallback_mode;
$this->get_id($sid);
if ( $this->fallback_page == "" )
$this->fallback_page = $this->self_url();
else {
$regex = "^(.*)\?(.*)".$this->mode_test_id."=[^&]*&(.*)$";
$this->fallback_page = $this->fallback_page."?".
$this->mode_test_id."=".
ereg_replace($regex, '\1&\2\3', $this->self_url());
}
header("Location: ".$PROTOCOL."://".$HTTP_HOST.$this->fallback_page);
} else {
$this->get_id($sid);
header("Location: ".$PROTOCOL."://".$HTTP_HOST.$this->self_url().
$this->add_query(array(urlencode($this->mode_test_id) => "1")));
}
exit;
}
}
}
In this way, a cookie enabled session never has it's sessionid exposed in the
URL. And if you set $fallback_page to some page reference e.g. /fallback.html
then you can warn non-cookie enabled browsers about the risks they are taking:
<?php
$extra_javascript .= rollOverCache(array("nc_proceed","nc_tryagain"));
function body() {
global $HTTP_GET_VARS, $QUERY_STRING, $sess;
?>
<STRONG>
Your browser did not accept our cookie!<BR>
<BR>
The site will work fine regardless but you should be aware that
there is a slight security risk because your session identifier is
visible in the URL. This risk is greater still if you are connected
to our site through a proxy server or cache server which you do not
control.<BR>
<BR>
You can either Proceed Anyway or enable cookies in your browser and Try Again.<BR>
<BR>
<CENTER>
<?php
rollOverButton($sess->url($HTTP_GET_VARS[$sess->mode_test_id].
($QUERY_STRING?"?$QUERY_STRING":'')), 'nc_proceed');
?> <?php
$query = ereg_replace($sess->mode_test_id."=[^&]*&", "", $QUERY_STRING);
rollOverButton($HTTP_GET_VARS[$sess->mode_test_id].
($QUERY_STRING?"?$query":''), 'nc_tryagain');
?>
</CENTER>
</STRONG>
<?php } // end body() ?>
Hope that helps.
On Sat, 27 Jan 2001, you wrote:
> PHPLIB uses GET mode for a user's initial access of a PHPLIB site, and puts
> the session ID into the URL of the first page a user accesses. If the user
> has cookies enabled, PHPLIB will then switch to cookie mode, and not put
> the session ID in URLs anymore. (Of course, if they continue in GET mode,
> it continues to be used.)
>
> However, even that initial exposure of the session ID is written into the
> server log (at least it is in Apache). Here's an example from my own server
> (session ID and IP fudged a tiny bit):
>
> 216.11.222.333 - - [27/Jan/2001:13:42:57 -0800] \
> "GET /index.html?angst_sess=6309f1c1c6f8adfb9e366b1 HTTP/1.0" \
> 200 3769 "-" "Mozilla/3.0 (PowerPC [en] Mac OS 9.1; Sun)"
>
> This is a security risk, because a crafty user could use that information
> to take over someone's session.
>
> My question is, is there a way to disable the writing of the session ID
> into server logs, such as Apache's?
>
> I know how to change the permissions on the log file, and prevent them from
> being world-readable. But that's just a band-aid; I'd rather eliminate the
> security risk entirely, and not have the session ID showing up in my logs.
>
> Thanks!
>
> Michael
> --
>
>
> Visit MARS! <http://www.michaelandrochellessite.com/>
> ---
> Michael A. Alderete
> <mailto:alderete <email protected>> voice: (415) 861-5758
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
--*************************************************** John Sutton SCL Computer Services URL http://www.scl.co.uk/ Tel. +44 (0) 1239 621021 ***************************************************
--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>
- Next message: John Sutton: "Re: [phplib] PHPLib and frames examples?"
- Previous message: A.C.N.S. Information and News: "Re: [phplib] PHPLib and frames examples?"
- In reply to: Michael A. Alderete: "[phplib] Security Risk: Session ID in server logs"
- Next in thread: A.C.N.S. Information and News: "Re: [phplib] Security Risk: Session ID in server logs"
- Reply: A.C.N.S. Information and News: "Re: [phplib] Security Risk: Session ID in server logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]