 |
 |
 |
 |
|
|
Date: 01/30/01
- Next message: Dani mediaactive: "[phplib] passing javascript variables"
- Previous message: Max A. Derkachev: "[phplib] README on session4_custom.inc"
- In reply to: John Sutton: "Re: [phplib] Security Risk: Session ID in server logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry for the top post, but I tried your little fix and it doesn't work on
my system. Still working on it. I get the cookie and still get directed to
the fallback page. Will let you know what I find.
Chuck.
----- Original Message -----
From: "John Sutton" <john <email protected>>
To: <phplib <email protected>>
Sent: Tuesday, January 30, 2001 1:08 PM
Subject: Re: [phplib] Security Risk: Session ID in server logs
> We've "solved" this problem by overriding release_token in session.inc:
>
> var $fallback_page = ""; ## If in fallback mode show this page
first
> var $mode_test_id = "modetest"; ## Used to determine whether we need
> ## to use fallback mode.
> function release_token(){
> global $HTTP_COOKIE_VARS, $HTTP_GET_VARS,
> $HTTP_HOST, $HTTPS, $PHP_SELF, $QUERY_STRING;
> if ( isset($this->fallback_mode)
> && ( "get" == $this->fallback_mode )
> && ( "cookie" == $this->mode )
> && ( ! isset($HTTP_COOKIE_VARS[$this->name]) ) ) {
> if ( isset($HTTP_GET_VARS[$this->name]) ) {
> $this->mode = $this->fallback_mode;
> } else {
> if( isset($HTTPS) && $HTTPS == 'on' ){
> ## You will need to fix suexec as well, if you use Apache and CGI
PHP
> $PROTOCOL='https';
> } else {
> $PROTOCOL='http';
> }
> header("Status: 302 Moved Temporarily");
> if ( isset($HTTP_GET_VARS[$this->mode_test_id]) ) {
> $this->mode = $this->fallback_mode;
> $this->get_id($sid);
> if ( $this->fallback_page == "" )
> $this->fallback_page = $this->self_url();
> else {
> $regex = "^(.*)\?(.*)".$this->mode_test_id."=[^&]*&(.*)$";
> $this->fallback_page = $this->fallback_page."?".
> $this->mode_test_id."=".
> ereg_replace($regex, '\1&\2\3',
$this->self_url());
> }
> header("Location:
".$PROTOCOL."://".$HTTP_HOST.$this->fallback_page);
> } else {
> $this->get_id($sid);
> header("Location:
".$PROTOCOL."://".$HTTP_HOST.$this->self_url().
> $this->add_query(array(urlencode($this->mode_test_id) =>
"1")));
> }
> exit;
> }
> }
> }
>
> In this way, a cookie enabled session never has it's sessionid exposed in
the
> URL. And if you set $fallback_page to some page reference e.g.
/fallback.html
> then you can warn non-cookie enabled browsers about the risks they are
taking:
>
> <?php
> $extra_javascript .= rollOverCache(array("nc_proceed","nc_tryagain"));
>
> function body() {
> global $HTTP_GET_VARS, $QUERY_STRING, $sess;
> ?>
> <STRONG>
> Your browser did not accept our cookie!<BR>
> <BR>
> The site will work fine regardless but you should be aware that
> there is a slight security risk because your session identifier is
> visible in the URL. This risk is greater still if you are connected
> to our site through a proxy server or cache server which you do not
> control.<BR>
> <BR>
> You can either Proceed Anyway or enable cookies in your browser and Try
Again.<BR>
> <BR>
> <CENTER>
> <?php
> rollOverButton($sess->url($HTTP_GET_VARS[$sess->mode_test_id].
> ($QUERY_STRING?"?$QUERY_STRING":'')), 'nc_proceed');
> ?> <?php
> $query = ereg_replace($sess->mode_test_id."=[^&]*&", "", $QUERY_STRING);
> rollOverButton($HTTP_GET_VARS[$sess->mode_test_id].
> ($QUERY_STRING?"?$query":''), 'nc_tryagain');
> ?>
> </CENTER>
> </STRONG>
> <?php } // end body() ?>
>
> Hope that helps.
>
> On Sat, 27 Jan 2001, you wrote:
> > PHPLIB uses GET mode for a user's initial access of a PHPLIB site, and
puts
> > the session ID into the URL of the first page a user accesses. If the
user
> > has cookies enabled, PHPLIB will then switch to cookie mode, and not put
> > the session ID in URLs anymore. (Of course, if they continue in GET
mode,
> > it continues to be used.)
> >
> > However, even that initial exposure of the session ID is written into
the
> > server log (at least it is in Apache). Here's an example from my own
server
> > (session ID and IP fudged a tiny bit):
> >
> > 216.11.222.333 - - [27/Jan/2001:13:42:57 -0800] \
> > "GET /index.html?angst_sess=6309f1c1c6f8adfb9e366b1 HTTP/1.0" \
> > 200 3769 "-" "Mozilla/3.0 (PowerPC [en] Mac OS 9.1; Sun)"
> >
> > This is a security risk, because a crafty user could use that
information
> > to take over someone's session.
> >
> > My question is, is there a way to disable the writing of the session ID
> > into server logs, such as Apache's?
> >
> > I know how to change the permissions on the log file, and prevent them
from
> > being world-readable. But that's just a band-aid; I'd rather eliminate
the
> > security risk entirely, and not have the session ID showing up in my
logs.
> >
> > Thanks!
> >
> > Michael
> > --
> >
> >
> > Visit MARS! <http://www.michaelandrochellessite.com/>
> > ---
> > Michael A. Alderete
> > <mailto:alderete <email protected>> voice: (415) 861-5758
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> > For additional commands, e-mail: phplib-help <email protected>
> --
>
> ***************************************************
> John Sutton
> SCL Computer Services
> URL http://www.scl.co.uk/
> Tel. +44 (0) 1239 621021
> ***************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>
- Next message: Dani mediaactive: "[phplib] passing javascript variables"
- Previous message: Max A. Derkachev: "[phplib] README on session4_custom.inc"
- In reply to: John Sutton: "Re: [phplib] Security Risk: Session ID in server logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]