php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #28681 session-hijacking
Submitted: 2004-06-07 20:45 UTC Modified: 2004-07-14 02:35 UTC
From: s dot lemke at infoworxx dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.7 OS: Linux 2.4.18
Private report: No CVE-ID: None
View Developer Edit
 [2004-06-07 20:45 UTC] s dot lemke at infoworxx dot de 
Description:
------------
Hi !

I have an "phaenomen" which is so fantastic that I cannot believe it.
General setup:
one Domain using sessions (with name "abcsession") running under "www.abconline.de"
another domain for testing (also with name "abcsession") running under "dev.abconline.de"

under some circumstances, stored sessiondata will be changed and i can found data in $_SESSION, which i have never stored. An important fact seems to be, that both domains have the same top-level domain on the same machine (physically two different systems - one for development and testing) - another important fact is a not found image.

It is definitely a php problem. 
Here is an test-url: http://dev.abconline.de/test/start.php4
after every Refresh the Session-Var changes !! (try it :-)
and if I type the contents of the file in which the session-data is stored (/tmp/sess_xxxxx) there are variables, I have never stored. 

I have documented more Infos in the sample scripts.

I know it sounds really fantastic - after a few years of php-development I have never seen anything like this....

Regards,
Sebastian





Reproduce code:
---------------
---- start.php4 ----
<?
session_name('abcsession');
session_start();
$_SESSION['s_valid_register']=642536304;
?>
<HTML>
<HEAD>
<META HTTP-EQUIV="refresh" content="0;URL=second.php4">
<TITLE></TITLE>
</HEAD>
<BODY>
redirect to next page!
</BODY>
</HTML>

---- second.php4 ----
<?
session_name('abcsession');
session_start();

echo "Session: ".$_SESSION['s_valid_register']."<BR>";

echo '<img src="not-found-image.gif">';
echo "<BR>";
echo "session-id: ".session_id()."<BR>";
?>
<BR>
now refresh (f5) an see whats happening with the session var !!!<BR><BR>
I took a look into my session-file - there were a lot of more vars in there<BR>
i cannot explain from where the vars are...!? - look at the session-file<BR><BR>
[....]
Session-Data:<BR>
<?
while (list($key, $value)=each($_SESSION))
        echo $key."=".$value."<BR>";
?>




Expected result:
----------------
the session-var 's_valid_register' must have after every refresh the same value. only one var (s_valid_register) should be stored in the session-data-file (/tmp/sess_xxx), but it is not the only one !

Actual result:
--------------
after every refresh the value changes. hijacked data in the session.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-09 16:19 UTC] iliaa@php.net 
Do you set a domain for the cookie used to store the 
sessions?
 [2004-06-09 16:30 UTC] s dot lemke at infoworxx dot de 
You mean 
session.cookie_domain
in PHP.ini ?

No, it is the default value:;
session.cookie_domain=

Cheers,
Sebastian
 [2004-06-09 16:36 UTC] iliaa@php.net 
Yes, but also please check if you have the  
session_set_cookie_params() calls to set the domain name.
 [2004-06-09 17:01 UTC] s dot lemke at infoworxx dot de 
ok, up to now I did not have set it.

i have just tried it, i have added session_set_cookie_params (time()+60*60*24*30, "/", $_SERVER['SERVER_NAME']);
before session_name in both scripts. The behaviour is the same. the $_SERVER['SERVER_NAME'] Variable holds "dev.abconline.de"

Cheers
Sebastian
 [2004-06-09 17:07 UTC] iliaa@php.net 
Can this behavior be duplicated in a specific browser or 
any browser? It is possible since the domain name is the 
same, a bug in the browser allows the cookies between the 
sub-domains to be shared.
 [2004-06-09 17:27 UTC] s dot lemke at infoworxx dot de 
Hi !

I have tried Internet Explorer 6.0 (win), Netscape 7.1 (win), Opera 7.22 (win), Safari (mac), Internet Explorer Mac 5.2 (mac) - the error is the same ! 

Keep in mind, that if the image file "not-found-image.gif" exists on the server everything is fine ! So if I try lynx it works !

Cheers
 [2004-06-29 11:24 UTC] php at alterego dot dp dot ua 
It definitely has something to do with ErrorDocument redirection. That 'not-found-image' turns out to be actually '302 found' with redirection to a page using the same php session_name. Browser gets all 'image' content, session gets modified, but that content is not an image actually, so browser can't render it. Again, that's why everything is ok when the picture is in it's place.

That's the point. Details are for you to found.

Everybody should always remember that s/he is dealing with the server in the first place, and only then things come to PHP. Nothing fantastic, has nothing to do with php itself, definetely a bogus bug report.
 [2004-07-06 01:24 UTC] sniper@php.net 
see above
 [2004-07-13 12:34 UTC] s dot lemke at infoworxx dot de 
Hi !

Yes, you are right and I am sorry :-) 

Thanks for your help.

Regards,
Sebastian
 [2004-07-14 02:35 UTC] magnus@php.net 
Only real bugs that have been fixed should have the status "Closed".
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Aug 09 18:00:02 2025 UTC