watch out your PHPSESSID [XOOPS general usage questions] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

watch out your PHPSESSID

2005/7/28 11:18
phppp
XOOPS Contributor
Posts: 2857
Since: 2004/1/25

STRONGLY suggest you, who has PHPSESSID enabled, to tur off "session.use_trans_sid"!

I have a referrer tracking module installed and I could easily get a complete admin right of your site with your sessionid

2

Re: watch out your PHPSESSID

2005/7/28 11:32
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

Can you explain a bit about how to protect a php session ID, and when this occurs?

Thanks

Herko

3

Re: watch out your PHPSESSID

2005/8/19 22:16
JamesSAEP
Just can't stay away
Posts: 732
Since: 2005/2/28

Quote:

phppp wrote:
STRONGLY suggest you, who has PHPSESSID enabled, to tur off "session.use_trans_sid"!

How do I turn this off?

I have a user on one of my site (2.0.13a) that says when she logs in she is always redirected to "http://www.webdiscourse.com/?PHPSESSID=..."

Is this a different problem?

4

Re: watch out your PHPSESSID

2005/9/1 12:20
macmend
Quite a regular
Posts: 285
Since: 2004/2/27

I'd like to know about this too

Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

5

Re: watch out your PHPSESSID

2005/9/1 12:30
phppp
XOOPS Contributor
Posts: 2857
Since: 2004/1/25

"PHPSESSID" is kind of complex, could be caused by server side or by client side.

There is no perfect solution but I would suggest an extra security check (combining other related concerns) for entering admin area in XOOPS next version.

6

Re: watch out your PHPSESSID

2005/9/1 12:33
macmend
Quite a regular
Posts: 285
Since: 2004/2/27

I have put this in the htaaccess file for www.jonathanspencer.net

php_flag session.use_trans_sid off

do you think that will that work

Google on the last flyby went through everything 300 times, which suggests aproblem on site with session ids. which is why I asked

Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

7

Re: watch out your PHPSESSID

2005/9/1 13:17
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

it should work :)

another measure to take aswell as the above. is to enable session_use_only_cookies in php.ini or via htaccess

session_use_only_cookies = 1

8

Re: watch out your PHPSESSID

2005/9/1 13:21
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

@DJ

i found this nice article that may or may not be of use for improving security too.

* DESCRIPTION:
* ------------------------------------------------------------------------
* This library tells the PHP4 session handler to write to a MySQL database
* instead of creating individual files for each session.
* In fact it is quite secure as it can do a check against ip. This avoid
* hacking of the cookie containing session_id by its intercept and use
* on an other computer. It retrives firewall ip and client ip too.
* It also has default value to override session.use_trans_sid so it disabale
* use it as it is not secure at all.

u can find the script here

9

Re: watch out your PHPSESSID

2005/9/1 13:57
macmend
Quite a regular
Posts: 285
Since: 2004/2/27

it seems better the cookie line creates a 500 error, so i am unable to use it in htaaccess, I will take a look at the script

Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

10

Re: watch out your PHPSESSID

2005/9/1 14:00
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

In .htaccess, it would be:

php_flag session.use_only_cookies on

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/16 2:02 Mamba
Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/14 20:34 hnn_gerd
Re: NewBB v 5.1.0 b 6

3/7 12:07 Mamba
Re: NewBB v 5.1.0 b 6

2/23 2:57 Mamba
NewBB v 5.1.0 b 6

2/17 18:57 spierrard
Re: XOOPS 2.5.11 search user is not working

2/14 13:11 Mamba
Re: oledrion

2/14 11:29 Mamba
Re: oledrion

2/13 15:22 oswaldo
Re: oledrion

2/12 19:20 Mamba
Re: oledrion

2/12 16:02 oswaldo

Who's Online

162 user(s) are online (94 user(s) are browsing Support Forums)

Members: 0

Guests: 162

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}