php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26119 Random SESSION-ID given in URL is accepted for the session
Submitted: 2003-11-04 14:04 UTC Modified: 2003-11-07 04:43 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: glattfahrservice at web dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.4 OS: Windows XP Professional
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2003-11-04 14:04 UTC] glattfahrservice at web dot de 
Description:
------------
Normally PHP is using some clever algorithms to provide for safe and unique SESSION-IDs. However, when a simple session-id is passed to the script in which session_start() is called, a session with the given ID is generated.

e.g.: www.test.com/index.php&PHPSESSID=blabla

should not be accepted and a new SESSION-ID should be generated for the session. BUT: this session-ID (blabla) is obviously valid and not rejected.

Functionality is not impaired, but right now a visitor is able to "choose" his own session-id. Not very safe, right?

I have disabled cookies and turned off trans-sid.

Ciao,
Dan.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-04 15:41 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The checks only validate the session id for special characters etc... You've come across the inherit vulnerability of URL session. Anyone can modify their value and should they stumble across a valid session id of another user become that user.
 [2003-11-05 05:22 UTC] glattfahrservice at web dot de 
Of course I know about the possibilities to hijack a session.

I just wanted to point out that it SHOULD be checked if the session-ID passed to the script has been generated by the system before. If I understand it correctly, a possible attacker can just call a script 1 Million times with random session-IDs and these sessions are then automatically created in the system. There must be a way around this!

Cheers,
Dan.
 [2003-11-05 11:16 UTC] sniper@php.net 
This is a feature actually. And the safe way is: Use only cookies and change the ID after login, for example.
(see http://www.php.net/session_regenerade_id )
 [2003-11-07 04:43 UTC] glattfahrservice at web dot de 
session_regenerate_id() can solve the problem, that's right.

I just thought this behaviour could be achieved through some config-option or enabled by default...

Thanks, anyways!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu May 16 07:01:33 2024 UTC