#27 Block auto-session and cookie-bypass

closed
nobody
None
5
2002-06-11
2002-05-31
No

Hi,
I've written a patch that will block anyone that tries
to post a bogus session.

I came to this choice through the following path:

I hated the 'form' state in auth, that precluded the
way to show a form anywhere and had the uncomfortable
cacel_login button
But I recognized that having this attribute of
auth[uid] set to 'form' would guarantee that anyone had
already got a session at least.
You could not just post the login form. If the auth
state (saved in session) was not 'form' that data would
be ignored.
But Then I thought that if you had a valid session,
that meant the same: block direct posting of
registration or login, by a script let's
say.

A valid session... And here I found the disgrace that
it is extremely easy to obtain the session you like,
even if cookies are on: just
put it in the url (?Example_Session=bogus), and you can
find it back, pass it over to someone else, and in the
end steal a lot easier.
Actually this is also the way PHP4 session work: if you
have PHPSESSID=anything in the URL, it forces 'get'
propagation and that
session name!!!
So I made this patch. It blocks the bogus session i
URL, it prevents from forcing 'get' mode even if you
have cookies enabled.
I don't know hot to do the parallel for the native PHP4
session...

I'd be happy if anyone tried it and give me a feedback.
It can be varnished here and there.with an 'Invalid
Session' page.
This is a prototype, I tried it with Netscape under
Linux.

Giancarlo Pinerolo

Discussion

  • new session.inc file

     
    Attachments
  • Logged In: YES
    user_id=163488

    How it works:

    jus before sending you looping through the Header:302 (the
    cookie test), after a new session string is created ,the
    session get created, a variable $validsession is registered
    in it and valued 'yes'. (there can be a better way, maybe
    cheching for some fingerprints of an existing phplib
    object...)

    When in 'get' mode (either by fallback or whatever), don't
    assume cookies are disabled: leave them anyway, they won't
    hurt.

    All this policy can be 'relaxed' in a particular extension
    of the session class, and code can be added so that in
    particuler pages you can adopt the policy as before.

    I just hope that if you like this, take a look at my other
    patch about a more clean and clear auth start method (no
    more auth[uid]=='form' nor mode==log/reg constraints), the
    reason why I went into this patch at first.

     
  • added server fingerprint in session.inc

     
    Attachments
  • Logged In: YES
    user_id=163488

    this has been superceded by patch 563700, which I finally
    committed to the php-lib-stable

     
    • status: open --> closed