php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25084 session.referer_check is ignored by session_start() function
Submitted: 2003-08-13 18:42 UTC Modified: 2003-08-13 20:30 UTC
From: mrmax063 at maxempire dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4CVS-2003-08-13 (stable) OS: Windows XP
Private report: No CVE-ID:
 [2003-08-13 18:42 UTC] mrmax063 at maxempire dot com
Description:
------------
Hi!

I've recently discovered that session_start() function ignores session.referer_check settings. And to be sure, I even downloaded the latest release in the 4CVS series, but the problem remains.

For example, if domain name where script is located is "example.com", the session.referer_check should be set to "example.com". Now, according to documentation, if someone tries to access the script from another domain with valid session id embedded in the URL (i.e. by following <A> link whose HREF parameter points to http://example.com/session.php?PHPSESSID=sessionid...), PHP should reset session id to another value. But, instead of this, session id that's specified in the URL is accepted (even though HTTP_REFERER field contains address of another domain).

Reproduce code:
---------------
<?php

ini_set('session.referer_check', 'example.com');

session_start();

if (!isset($_SESSION['count']))
{
    $_SESSION['count'] = 0;
}
else
{
    $_SESSION['count']++;
}

print('Counter: ' . $_SESSION['count'] . '<BR>');
print('Add this code to a page on *another* domain: &lt;A HREF="http://example.com/session.php?PHPSESSID=' . session_id() . '">HIJACK!&lt;/A><BR>');
print('HTTP_REFERER: ' . getenv('HTTP_REFERER'));

?>

Expected result:
----------------
When above script is accessed from another domain via <A> HTML tag and session id is specified in the URL ("session.php?PHPSESSID=sessionid..."), session_start() function should reset session id to another value, since HTTP_REFERER contains address of another domain.

Actual result:
--------------
session_start() function accepts session id that's specified in the URL, even though HTTP_REFERER contains address of another domain.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-13 18:47 UTC] mrmax063 at maxempire dot com
I forgot to mention that I'm running PHP as server module under Apache 2.0.47 on Windows XP.
 [2003-08-13 20:02 UTC] iliaa@php.net
Are you register_globals on or off?
 [2003-08-13 20:30 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 21:01:55 2014 UTC