watch out your PHPSESSID [XOOPS general usage questions] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

watch out your PHPSESSID

2005/7/28 11:18
phppp
XOOPS Contributor
Posts: 2857
Since: 2004/1/25

STRONGLY suggest you, who has PHPSESSID enabled, to tur off "session.use_trans_sid"!

I have a referrer tracking module installed and I could easily get a complete admin right of your site with your sessionid

2

Re: watch out your PHPSESSID

2005/7/28 11:32
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

Can you explain a bit about how to protect a php session ID, and when this occurs?

Thanks

Herko

3

Re: watch out your PHPSESSID

2005/8/19 22:16
JamesSAEP
Just can't stay away
Posts: 732
Since: 2005/2/28

Quote:

phppp wrote:
STRONGLY suggest you, who has PHPSESSID enabled, to tur off "session.use_trans_sid"!

How do I turn this off?

I have a user on one of my site (2.0.13a) that says when she logs in she is always redirected to "http://www.webdiscourse.com/?PHPSESSID=..."

Is this a different problem?

4

Re: watch out your PHPSESSID

2005/9/1 12:20
macmend
Quite a regular
Posts: 285
Since: 2004/2/27

I'd like to know about this too

Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

5

Re: watch out your PHPSESSID

2005/9/1 12:30
phppp
XOOPS Contributor
Posts: 2857
Since: 2004/1/25

"PHPSESSID" is kind of complex, could be caused by server side or by client side.

There is no perfect solution but I would suggest an extra security check (combining other related concerns) for entering admin area in XOOPS next version.

6

Re: watch out your PHPSESSID

2005/9/1 12:33
macmend
Quite a regular
Posts: 285
Since: 2004/2/27

I have put this in the htaaccess file for http://www.jonathanspencer.net

php_flag session.use_trans_sid off

do you think that will that work

Google on the last flyby went through everything 300 times, which suggests aproblem on site with session ids. which is why I asked

Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

7

Re: watch out your PHPSESSID

2005/9/1 13:17
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

it should work :)

another measure to take aswell as the above. is to enable session_use_only_cookies in php.ini or via htaccess

session_use_only_cookies = 1

8

Re: watch out your PHPSESSID

2005/9/1 13:21
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

@DJ

i found this nice article that may or may not be of use for improving security too.

* DESCRIPTION:
* ------------------------------------------------------------------------
* This library tells the PHP4 session handler to write to a MySQL database
* instead of creating individual files for each session.
* In fact it is quite secure as it can do a check against ip. This avoid
* hacking of the cookie containing session_id by its intercept and use
* on an other computer. It retrives firewall ip and client ip too.
* It also has default value to override session.use_trans_sid so it disabale
* use it as it is not secure at all.

u can find the script here

9

Re: watch out your PHPSESSID

2005/9/1 13:57
macmend
Quite a regular
Posts: 285
Since: 2004/2/27

it seems better the cookie line creates a 500 error, so i am unable to use it in htaaccess, I will take a look at the script

Free Mac Support

Ordinary Wisdom

apache server with php sshexec turned on
xoops version 2.0.18.1 & 2.3.1
php version 5.2.5
mysql version 5.0.45

10

Re: watch out your PHPSESSID

2005/9/1 14:00
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

In .htaccess, it would be:

php_flag session.use_only_cookies on

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Privacy

Yesterday 19:42 margoritka
Privacy

Yesterday 19:38 kalibri
XOOPS MyMenus 1.54.0 Beta 10

11/18 11:08 Mamba
Re: XOOPS MyMenus 1.54.0 Beta 7

11/18 11:06 Mamba
Re: XOOPS MyMenus 1.54.0 Beta 7

11/16 12:32 liomj
Re: XOOPS MyMenus 1.54.0 Beta 7

11/15 18:06 Mamba
Re: XOOPS MyMenus 1.54.0 Beta 7

11/15 5:33 liomj
Re: XOOPS MyMenus 1.54.0 Beta 7

11/15 5:29 liomj
Re: XOOPS MyMenus 1.54.0 Beta 7

11/15 4:39 Mamba
Re: XOOPS MyMenus 1.54.0 Beta 7

11/15 3:50 liomj

Who's Online

241 user(s) are online (190 user(s) are browsing Support Forums)

Members: 0

Guests: 241

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}