[phplib] Session ID randomness/security ? From: Jarno Huuskonen (Jarno.Huuskonen <email protected>)
Date: 08/02/01

Hi,

I have some concerns about the way phplib creates session id's.

Here's a snippet from session.inc:
$id = $this->that->ac_newid(md5(uniqid($this->magic)), $this->name);

The session id generation uses PHP's uniqid function. Uniqid takes
timeofday and $this->magic and creates the 'unique' string:

    if (MORE_ENTROPY) {
        sprintf(uniqid, "%s%08x%05x%.8f", (*prefix)->value.str.val, sec,
        usec, \
php_combined_lcg() * 10);
    } else {
        sprintf(uniqid, "%s%08x%05x", (*prefix)->value.str.val, sec,
        usec);
    }

The problem with this id generation (AFAIK) is that an attacker can
approximate the timeofday and if the $this->magic is known
(for example some opensource project or silly admins who don't change
default values) the the attacker has limited range of values to try:
For given second there're 1000000 usec values (this probably comes down
because some computers don't have usec resolution timers??).

If the site uses SSL and the attacker can snoop the connection he can
estimate the timeofday even more accurately (and if the connection is in
clear all this doesn't matter because the attacker can pick-up the
session id).

IMHO it would be a good idea to use 'external' randomness for session id
creation. Php(4).ini has two options for this:
; session.entropy_length = 16
; session.entropy_file = /dev/urandom

Why not use the same entropy source as php4 own session tracking ? In
(pseudocode):
if ($this->use_entropy && ini_get('entropy_file')) {
  $entropy = read ini_get('entropy_size') bytes from entropy_file;
  $id = $this->that->ac_newid(md5(uniqid($this->magic . $entropy) ...
}
else {
  $id = $this->that->ac_newid(md5(uniqid($this->magic)), $this->name);
}

This should make the session id harder to guess and probably
doesn't add too much overhead. (One more possible enhancement would be
to use the optional extra lcg parameter to uniqid).

Any thoughts / feedback welcome. (If this has been discussed before
could you point me to right direction).

-Jarno 

-- 
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen <email protected>
University of Kuopio - Computer Center   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169

-- 
Abbestellen mit Mail an:   phplib-unsubscribe <email protected>
Kommandoliste mit Mail an: phplib-help <email protected>