php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #81722 Session Fixation in PHP Core PHPSESSID
Submitted: 2022-06-14 19:17 UTC Modified: 2022-06-20 12:47 UTC
From: aslantugay at hotmail dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 7.4.30 OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aslantugay at hotmail dot com
New email:
PHP Version: OS:

 

 [2022-06-14 19:17 UTC] aslantugay at hotmail dot com 
Description:
------------
with this vulnerability you can change target session id via changing in browser or MITM attack. When you send custom PHPSESSID php accept that and you have two session ID for same account. This vulnerability classifed as session fixation.

Test script:
---------------
https://github.com/tugayaslan/Vulnerabilities/blob/main/PHP-Core-Session-Fixation.md

Expected result:
----------------
Some platforms make it easy to protect against Session Fixation, while others make it a lot more difficult. In most cases, simply discarding any existing session is sufficient to force the framework to issue a new sessionid cookie, with a new value.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-06-15 06:38 UTC] stas@php.net
-Status: Open +Status: Not a bug
 [2022-06-15 06:38 UTC] stas@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Use session.use_strict_mode

See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 23:01:28 2024 UTC