Hello All,

I've been doing a lot of PHP programming since I last posted here. I've run across two security related things with sessions that you may or may not know about.

The first one pertains to the session id, or the id that PHP assigns each computer when a session is created. This id is either stored in a cookie (search for PHPSESSID) or through the URL as GET data. Remember that all session data is stored server side; this ID is the only thing that PHP will use to differentiate your computer from someone else's. While I was programming for Plug Computers, I decided to experiment with logging into the Admin CP I built, copying the session ID from my computer, and putting it as a cookie on the other computer. Sure enough, both computers were recognized as logged into the admin CP.

This poses a very serious threat to anyone that knows what they are doing with sessions. However, there is a system that I use to eliminate this from occurring. PHP has a bunch of functions for working with sessions. I utilize the "session_regenerate_id", which will change the session ID every time it is invoked. This way, if someone is able to capture someone's session ID, the next time that function is invoked, the ID will be useless.



I recommend doing that every time your user loads a new page.

The second discovery I've made pertains to using local variables and session variables. When I write PHP for people I use PHP version 5.2.2. I believe newer versions have addressed and fixed this issue. But just in case, I'll share what I've found anyway.

Firstly, let me tell you what I mean by a local variable. Look at the code below:



Variables within functions are not considered local variables because when a user-defined function is invoked, PHP will create the variables within that function, and then destroy them once the function has been completed. Other variables outside of functions are considered "local variables", with the exception of superglobals ($_POST, $_GET, $_COOKIE, $_SERVER).

I am currently writing some PHP for a tenis coach in Indiana who wants a way to allow his students to keep track of work out routines, keep a blog, keep notes on opponents and other things like that. When working with the Admin CP and creating a "add user" form for the site, I noticed that the key 'username' in the session superglobal would change each time I ran the script.

Here is the code in question:


The value in $_SESSION['username'] was changed to $username. It's a bug that also caused me some difficulty with Plug Computers. I had to change all of my $id's to $id1's to avoid it.

Hope this helps someone out.

 

 

 

Reply

I never actually thought about the session variable being a security hole. Thanx for pointing that out mate.

The thing about local and global variables must be known by every php coder. I mean this is like the abc of this thing.

Keep up posting.

Reply

This is the main reason I don't use session in php. I write it myself, come up with a random string and make my own cookie this way I have more control over it. I check the IP address that was logged in with, with the one trying to get the request.

Reply

That would work with Users that have a Static IP, but how do you handle Dynamic IP's?

Reply

Nice one, I had to added it my favorites to consider it for whenever I am programming something with php. I am currently working on an admin cp for a business that sells boots. This will really come in handy. Thanks.

Reply