Hi,

There was a security problem with osCommerce, if two users had the same session ID, so I'm wondering if that may be one area that the XOOPS core team look at, considering what happened recently.

The scenario in osCommerce would go like this. Robots would crawl a website and of course create a session ID, and the search results from a website would then show up in a number of search engines, with the session ID appended to the URL/URI. Now, what happens with osCommerce (they may have it fixed now, I don't know), is that potentially, two users can click on that url and have the same session ID. Then if one logs in, the other person can view the account details. It went something like that anyway.

Now, back to XOOPS, I see some search engines are doing this

Quote:

and it then turns up in the search results for the website.

Is there a similar potential 'risk' with XOOPS, for two users to have the same session ID ??

I'm just thinking of constructive ways to tighten possible 'leaks'. :)

P

yup.. old news but still crops up every now n then..

use cookies, and disable trans_sid in php.ini or htaccess etc, and that solves that problem somewhat..

plenty of topics on XOOPS about it if you enter phpsessionid into the search block.

I added this in .htaccess



and the cookies were already set to 'on', here are the values from phpinfo()

Quote:

I can still do this ....

http://www.example.com/modules/wflinks/newlist.php?PHPSESSID=ae13f0f2d33dc138573157d429e15782

OR ...........

http://www.example.com/modules/xhld0/index.php?PHPSESSID=ae13f0f2d33dc138573157d429e15782

the first url example is what is in the serach engine results, so no doubt I will just have to wait until they do another crawl. From the web server logs, there are several url's that are causing the session ID to be appended, I just tried one, and now the session ID is not there. So, I'll test all the others, and just wait until the next crawls _and_ updates by these search engines.

The XOOPS admin/preferences main/general settings has"

use custom session - No

Thanks,

P

in sorting out the terrible mess I have got in with my server, i find I am not allowed to use php flag entries in .htaccess as they bring 500 errors...is this a problem is there a way round it, it seems some php security on the host server now prohibits this??

I _think_ if the server config doesn't let you add the php flag/values in .htaccess, then what you can do, is to have your own PHP.INI

The best to do is ask your hosting company, from memory that is what I had to do on another server, and found the best way to start was to copy the 'full' PHP.INI file into your site, and then make the changes.

P

Despite the changes I've made, bots are still hitting the site with a GET like ...

Quote:

looks like the only way to really fix it, is a mod_rewrite, to strip the session id from the URL. At presetn, even with the changes advised, the PHPSESSID is turning up in search engines.

P