PHP :: Bug #24781 :: Security lapse due to flaw in session.use_only

Bug #24781	Security lapse due to flaw in session.use_only_cookies
Submitted:	2003-07-23 19:20 UTC	Modified:	2003-07-24 13:07 UTC
From:	spagmoid at yahoo dot com	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	4.3.2	OS:	All
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 43 + 26 = ?
Subscribe to this entry?

[2003-07-23 19:20 UTC] spagmoid at yahoo dot com

Description:
------------
Our SID's have been leaking out today and becoming shared between 5+ users at once, causing massive corruption.

Our theory is that session.use_only_cookies does not always work.  It sometimes allows the SID to propagate in URL when cookies are disabled (noticed in Netscape not IE for some reason).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-23 22:13 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2003-07-24 10:12 UTC] spagmoid at yahoo dot com

Sorry, there's no way I can subject our site to this risk again.  I just thought I would notify about this problem.

I believe what happened was proxy servers started cacheing pages that has SID's in the links.  This caused users to start pouring in with identical SID's (different on each proxy, we surmise).  It only happened to AOL users.  It took 12 hours of hell just to figure out what was going on.  Maybe a note in the session section of the manual that this can happen would help..

[2003-07-24 10:15 UTC] spagmoid at yahoo dot com

Note: It also only happens right when sessions are first created, that way the page currently being viewed has no SID, but all the links in it do contain the SID.  Tricky and evil.

[2003-07-24 13:07 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The error you are seeing is likely the result of multiple AOL users, usually using the same browser accessing the site via AOL's proxy which cached the sessions ids. Because AOLs IPs are not static and may come through a proxy users may also have the same IP. Thus making it nearly impossible to distinquish between users.
I've encountered this problem (particular to users of large IPS like AOL) with other non-php based session mechanisms as well. The solution is to keep the session expiry times shorts and send headers indicating to the proxies/caches that the pages are not to be cached.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 30 07:01:28 2024 UTC