php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26119 Random SESSION-ID given in URL is accepted for the session
Submitted: 2003-11-04 14:04 UTC Modified: 2003-11-07 04:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: glattfahrservice at web dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.4 OS: Windows XP Professional
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
37 - 13 = ?
Subscribe to this entry?

 
 [2003-11-04 14:04 UTC] glattfahrservice at web dot de
Description:
------------
Normally PHP is using some clever algorithms to provide for safe and unique SESSION-IDs. However, when a simple session-id is passed to the script in which session_start() is called, a session with the given ID is generated.

e.g.: www.test.com/index.php&PHPSESSID=blabla

should not be accepted and a new SESSION-ID should be generated for the session. BUT: this session-ID (blabla) is obviously valid and not rejected.

Functionality is not impaired, but right now a visitor is able to "choose" his own session-id. Not very safe, right?

I have disabled cookies and turned off trans-sid.

Ciao,
Dan.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-04 15:41 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The checks only validate the session id for special characters etc... You've come across the inherit vulnerability of URL session. Anyone can modify their value and should they stumble across a valid session id of another user become that user.
 [2003-11-05 05:22 UTC] glattfahrservice at web dot de
Of course I know about the possibilities to hijack a session.

I just wanted to point out that it SHOULD be checked if the session-ID passed to the script has been generated by the system before. If I understand it correctly, a possible attacker can just call a script 1 Million times with random session-IDs and these sessions are then automatically created in the system. There must be a way around this!

Cheers,
Dan.
 [2003-11-05 11:16 UTC] sniper@php.net
This is a feature actually. And the safe way is: Use only cookies and change the ID after login, for example.
(see http://www.php.net/session_regenerade_id )

 [2003-11-07 04:43 UTC] glattfahrservice at web dot de
session_regenerate_id() can solve the problem, that's right.

I just thought this behaviour could be achieved through some config-option or enabled by default...

Thanks, anyways!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC