php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #8184 session security bug(?)
Submitted: 2000-12-09 12:34 UTC Modified: 2001-01-30 04:17 UTC
From: zeles at freemail dot hu Assigned:
Status: Closed Package: Session related
PHP Version: 4.0.3pl1 OS: Slackware 7.0
Private report: No CVE-ID: None
 [2000-12-09 12:34 UTC] zeles at freemail dot hu
Hi!

A part of my php.ini looks like this:
session.gc_probability    = 100
session.gc_maxlifetime    = 0
session.cache_limiter     = nocache
session.use_cookies       = 0
session.auto_start        = 0 
session.use_trans_sid     = 1
session.cookie_lifetime   = 0

The situation:
the client cuts the URL of the actual page to the clipboard (the URL contains the session-id) and close the browser.
The session file becomes garbage and it will be collected at the next session call - I thought. 
However, when the client opens the browser and pastes the URL into the address line - and there isn't any other session call from another client - PHP lets him in.
If the URL does not contain the session-id everything works fine: the garbage collector collects all of the garbage.

Summary: if the session_start() gets session-id by GET parameter or by a cookie, it doesn't check whether the session file is garbage or not.

I think it's a minor security bug.

Thanks
Zoltan Eles

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-12-11 05:29 UTC] stas@php.net
I don't understand something here. Do you really want the
session to be destroyed on each page call? What's the point
in such a "session" anyway then? Could you please explain?
 [2001-01-30 04:17 UTC] sniper@php.net
No feedback.

--Jani
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 15:01:29 2024 UTC