1
phppp
watch out your PHPSESSID
  • 2005/7/28 11:18

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


STRONGLY suggest you, who has PHPSESSID enabled, to tur off "session.use_trans_sid"!

I have a referrer tracking module installed and I could easily get a complete admin right of your site with your sessionid

2
Herko
Re: watch out your PHPSESSID
  • 2005/7/28 11:32

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


Can you explain a bit about how to protect a php session ID, and when this occurs?

Thanks

Herko

3
JamesSAEP
Re: watch out your PHPSESSID
  • 2005/8/19 22:16

  • JamesSAEP

  • Just can't stay away

  • Posts: 732

  • Since: 2005/2/28


Quote:

phppp wrote:
STRONGLY suggest you, who has PHPSESSID enabled, to tur off "session.use_trans_sid"!


How do I turn this off?

I have a user on one of my site (2.0.13a) that says when she logs in she is always redirected to "http://www.webdiscourse.com/?PHPSESSID=..."

Is this a different problem?

4
macmend
Re: watch out your PHPSESSID
  • 2005/9/1 12:20

  • macmend

  • Quite a regular

  • Posts: 285

  • Since: 2004/2/27


I'd like to know about this too
Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

5
phppp
Re: watch out your PHPSESSID
  • 2005/9/1 12:30

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


"PHPSESSID" is kind of complex, could be caused by server side or by client side.

There is no perfect solution but I would suggest an extra security check (combining other related concerns) for entering admin area in XOOPS next version.

6
macmend
Re: watch out your PHPSESSID
  • 2005/9/1 12:33

  • macmend

  • Quite a regular

  • Posts: 285

  • Since: 2004/2/27


I have put this in the htaaccess file for http://www.jonathanspencer.net

php_flag session.use_trans_sid off

do you think that will that work

Google on the last flyby went through everything 300 times, which suggests aproblem on site with session ids. which is why I asked
Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

7
m0nty
Re: watch out your PHPSESSID
  • 2005/9/1 13:17

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


it should work :)

another measure to take aswell as the above. is to enable session_use_only_cookies in php.ini or via htaccess

session_use_only_cookies = 1

8
m0nty
Re: watch out your PHPSESSID
  • 2005/9/1 13:21

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


@DJ

i found this nice article that may or may not be of use for improving security too.

* DESCRIPTION:
* ------------------------------------------------------------------------
* This library tells the PHP4 session handler to write to a MySQL database
* instead of creating individual files for each session.
* In fact it is quite secure as it can do a check against ip. This avoid
* hacking of the cookie containing session_id by its intercept and use
* on an other computer. It retrives firewall ip and client ip too.
* It also has default value to override session.use_trans_sid so it disabale
* use it as it is not secure at all.


u can find the script here

9
macmend
Re: watch out your PHPSESSID
  • 2005/9/1 13:57

  • macmend

  • Quite a regular

  • Posts: 285

  • Since: 2004/2/27


it seems better the cookie line creates a 500 error, so i am unable to use it in htaaccess, I will take a look at the script
Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

10
Dave_L
Re: watch out your PHPSESSID
  • 2005/9/1 14:00

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


In .htaccess, it would be:

php_flag session.use_only_cookies on

Login

Who's Online

291 user(s) are online (213 user(s) are browsing Support Forums)


Members: 0


Guests: 291


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits