XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / watch out your PHPSESSID
Register
21
m0nty
Re: watch out your PHPSESSID

  • 2006/3/15 23:05

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


hi jen, phpsessionid is not just for xoops, it affects any script that uses php for sessions. so php can identify each user. if cookies aren't used then phpsessionid would need to be applied to every url so it can identify you.

so you make session id store info in cookies, these id's are unique to every user.. so if someone tricks you or you post a link into a page that contains this sessionid, and some1 pastes it into the browser php would assume that they are you. hence they would be able to access your account..

when you physically logout that id is expired and the next time you login you are issued with a new key.

now what you want is to force php to use cookies, and if cookies are readable by the server (ie. you have not got cookies blocked) then php reads the cookie, in this case XOOPS reads the cookie including the session id) so there is no need to actually pass the sessionid in the url itself.. so turning trans_sid off is more secure. this should stop it happening.

by forcing php to actually use only cookies, you are basically forcing the user to have to enable cookies in their browser, which is what i understand of it.. i'm no expert.

hope this helps somewhat.
22
jensclas
Re: watch out your PHPSESSID

Ok...so in my XOOPS general preference settings it says:

Name for user cookies.

This cookie contains only a user name and is saved in a user pc for a year (if the user wishes). If a user have this cookie, username will be automatically inserted in the login box.

I left it at default

The next setting is

Use custom session

Select yes to customise session related values.

I have 'yes'

This is follwed by session name and session expiration.

That being the case I am I assume forcing the user to use cookies and should therefore have nothing to worry about???

Thanks
23
peterr
Re: watch out your PHPSESSID

  • 2006/3/15 23:17

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Even though I have applied the recommended config changes in XOOPS, to use cookies and not sessions, and also modified .htaccess accordingly, there is, of course, still nothing to stop any visitor coming to your site with a URL that contains PHPSESSID (or any session id).

Bots/crawlers are still using the PHPSESSID in the url after the changes have been applied (and they work), the bottom line is, we can't control what users (or bots,etc) enter into the url. Often of ocurse they click on a link from a search engine, and that has the session id in it.

The method we got around this problem in another application is to use the Apache 'mod_rewrite'; I will try and find the info used and post it here.

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition
24
m0nty
Re: watch out your PHPSESSID

  • 2006/3/15 23:19

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


yep using custom session forces sessions to be handled by XOOPS instead of php itself..

i always use custom sessions..
25
peterr
Re: watch out your PHPSESSID

  • 2006/3/15 23:26

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Okay, now I'm a bit confused (which doesn't take much), if a person uses XOOPS custom sessions, is this what happens

1. The (XOOPS) session id is placed in a cookie
2. There is still no session id in the url ??

What happens if a vistor still uses a session id in the url ?

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition
26
m0nty
Re: watch out your PHPSESSID

  • 2006/3/15 23:40

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


if i understand it right, then the phpsessionid will be invalid.
27
peterr
Re: watch out your PHPSESSID

  • 2006/3/16 0:15

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

m0nty wrote:
if i understand it right, then the phpsessionid will be invalid.


It doesn't seem so ??

I have this in .htaccess

Quote:

# XOOPS security measures
php_flag session.use_trans_sid off


and was able to do this ...

http://www.example.com/index.php?PHPSESSID=f1deb7c154993521b5f459b2b792679c

and cookies were being set. Then went in admin, set 'use custom session' to 'yes', tried this again ..

http://www.example.com/index.php?PHPSESSID=f1deb7c154993521b5f459b2b792679c

the PHPSESSID remains in the url, (no message), and no cookies are set now. I guess it is a case of use cookies or use sessions, and so I'd have to change the .htaccess setting to 'on', is that correct ?

It would be good to have an (official) FAQ on this, what is recommended from the core team, mentioning security issues,etc,

edit:.. yet if I do this ..

http://www.example.com/contact

a cookie has now been set, info as follows

Quote:

Name: PHPSESSID
Content: 13089316294a394c52421f6fe1482acb
Host: www.example.com
Path: /
Send for: Any type of connection
Expires: at end of session


no session id in the url of course.

hmmm, ... so now I'm sort of understanding what m0nty said, if a user tries to put PHPSESSID in the url, cokies won't be set, in effect, the PHPSESSID will be 'invalid' (ignored)

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition
28
m0nty
Re: watch out your PHPSESSID

  • 2006/3/16 0:28

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


Quote:

I guess it is a case of use cookies or use sessions, and so I'd have to change the .htaccess setting to 'on', is that correct ?


i think u misunderstand trans_sid

trans_sid being enabled will show sid in the url.. this is not what you want, leave it disabled as it should be..

by giving your browser a phpsessionid manually you allowed it to use that session, but generally if you goto your site and trans_sid is off, you shouldn't see it.. neither should bots be able to read it either on indexed pages..
29
peterr
Re: watch out your PHPSESSID

  • 2006/3/16 0:44

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

m0nty wrote:
trans_sid being enabled will show sid in the url.. this is not what you want, leave it disabled as it should be..


it is disabled in .htaccess, but doing so, will NOT stop a user/spider from doing this:

http://www.example.com/index.php?PHPSESSID=f1deb7c154993521b5f459b2b792679c

it will only stop the sid being shown in the url from the server side (Apache), never stop it from the client side. This should be made clear, because I see that some peple are concerned about links to their site with the session id in the link.

having custom sessions set ot 'yes' is one safeguard, but I have proven that if a user has _that_ setting, and a visitor has the session id in the url, then no cookie at all will be set.

Quote:

m0nty wrote:
by giving your browser a phpsessionid manually you allowed it to use that session, but generally if you goto your site and trans_sid is off, you shouldn't see it.. neither should bots be able to read it either on indexed pages..


Past experience with bots is that some reindex regularly, some do not for many months, therefore the bots that are in the latter case, do continue to use the session id, despite _all_ the possible settings in XOOPS and Apache.

This was a big security risk for a friend, so much so, that we added some mod_rewrite code so that if a bot came to the site with a GET of:

http://www.example.com/index.php?PHPSESSID=f1deb7c154993521b5f459b2b792679c

Apache mod_rewrite did a good job and the url became

http://www.example.com/index.php

even if the session id was anywhere within the url, it worked very well.

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition
30
peterr
Re: watch out your PHPSESSID

  • 2006/3/16 0:58

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Here is the Apache mod_rewrite code, the conditions/rules did have some code up the top, to _only_ "strip" the session id IF the visitor was a spider/bot, however considering XOOPS users, if they have the need to use this code, it would be for all visitors, therefore I have removed the first set of rules.

Add this to your .htaccess file, BUT PLEASE read the notes below:

# Set some options
Options FollowSymLinks
#
RewriteEngine on
RewriteBase /
#
# case: leading and trailing parameters
RewriteCond %{QUERY_STRING} ^(.+)&PHPSESSID=[0-9a-z]+&(.+)$ [NC]
RewriteRule (.*) $1?%1&%[R=301,L]
#
# case: leading-only, trailing-only or no additional parameters
RewriteCond %{QUERY_STRING} ^(.+)&PHPSESSID=[0-9a-z]+$|^PHPSESSID=[0-9a-z]+&?(.*)$ [NC]
RewriteRule (.*) $1?%[R=301,L]


NOTES:

1. ONLY use this code if you need to, please don't just add it to your .htacess file. You only 'need to' use it, if search engine results for your website, are showing the session id (PHPSESSID or another)in the url/link.

2. This code comes with no guarantess, has not been tested, use at your own risk.

HTH

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition
« 1 2 (3) 4 5 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

220 user(s) are online (135 user(s) are browsing Support Forums)

Members: 0

Guests: 220

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits