Re: [Phplib-users] cookie_mode, fallback_mode, security

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Basic question here:-
Could someone briefly explain why having a SID in the URL is so much more
vulnerable to interception than being passed back via a cookie? (I
did not understand Sascha Schumann's 'social engineering' reasoning) If,
say, the connection is secure is not 'all' the data (including all the
URL) also encrypted?

Thanks
David

----- Original Message -----
From: "Giancarlo Pinerolo" <gia...@na...>
To: "phplib-users" <php...@li...>
Sent: Thursday, June 13, 2002 9:34 AM
Subject: [Phplib-users] cookie_mode, fallback_mode, security

People that disable cookies know that they have to reenable them before
doing their home banking.

In fact the session mode="cookie" combined with fallback_mode="cookie"
and block_alien_sid setting will never, ever allow a SID to be forcedly
taken from a basically untrustable origin: the URL, that is user input.

The session manage of php4 had no possibility to block it, but I wrote
to Sascha Schumann and I got this patch what should add a
session.use_only_cookies to php.ini.

So I think this will take soon the session4 level of security to that of
the stable cvs branch.

I want to stress the importance of such a setting, and the fact that, as
php as been since session inception, there has been no way to setup php
NOT to give anyway priority to a SID in the URL.
This flaw could allow a whole series of stealth appropriation or
reappropriation of session statuses.

This is it

Giancarlo

> Hi,
>
>     I have now committed source for an additional option which enables
>     administrators to protect their users from this whole class
>     of attacks.
>
>     By enabling `session.use_only_cookies´, all data sources but
>     cookies will be disabled.  Attacks which rely on the ability
>     of passing session ids in URLs will become ineffective
>     immediately.
>
>     Please note that this class of attacks relies on social
>     engineering.  To the same extent, your users could be
>     manipulated to enter their credentials into a faked
>     login screen or make them available to the attacker through
>     alternative means.
>
>     The option `session.use_only_cookies´ has been committed to
>     the PHP CVS which means that it will be available with the
>     next PHP release.  You can upgrade existing PHP deployments
>     by applying this patch:
>
>     http://apache.org/~sascha/use-only-cookies.txt
>
>     Regards,
>     - Sascha

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=dntextlink

_______________________________________________
Phplib-users mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phplib-users