php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66947 Session fixation with use_strict_mode on custom save handlers
Submitted: 2014-03-24 15:52 UTC Modified: 2015-05-24 06:19 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:0 of 0 (0.0%)
From: ondrej dot machulda at gmail dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.5.10 OS:
Private report: No CVE-ID: None
 [2014-03-24 15:52 UTC] ondrej dot machulda at gmail dot com
Description:
------------
PHP 5.5.2 introduced session.use_strict_mode settings, which, if enabled, rejects uninitialized session IDs provided by the client and regenerate the SID with a new one. This protect user from one kind of session fixation attack, see CVE-2011-4718

The manual states:
session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled). 

However, the strict mode is only implemented in mod_files (https://github.com/php/php-src/search?q=use_strict_mode&type=Code), thus using any custom session save handler (for eg. memcache, redis, database...) will keep you with this vulnerability exploitable.

I see two problems there: 
1) The configuration option may confuse you to think you are protected (no matter the session save handler you use), what is apparently not true.
2) IMHO the strict mode could be done handler-agnostic, for example modifying SessionHandlerInterface to require validate() method or something.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-24 18:34 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2014-03-24 18:34 UTC] stas@php.net
I would think this is for save handler authors to implement necessary code to support user_strict_mode. If you have an idea how to improve the functionality, you're welcome to submit pull/RFC, however I do not think that if some custom handler does not implement this capability this implies a security bug in PHP.
 [2014-03-24 22:10 UTC] ondrej dot machulda at gmail dot com
To be accurate, I missed the mm handler, which also includes the strict mode check. But not the user handler.

So the point is still there - you could enable the setting and assume you are protected (because it is written in the manual). But if you use a custom session save handler, you are in fact not at all. And this is not really obvious - session *save* handler should be by definition just an adapter containing logic for saving and reading session, but care about spoofing SID should by IMO implemented more low-level.

I'll try to send PR to update the manual at least. But for me, this is still a bug, not expected behavior.
 [2014-03-24 22:33 UTC] ondrej dot machulda at gmail dot com
Related documentation bug:
https://bugs.php.net/bug.php?id=66951
 [2014-07-06 01:58 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2014-07-06 01:58 UTC] yohgaki@php.net
As Stas mentioned, users must implement their own strict session. Since there is no validate_id() API in user land.

My new patch addresses this issue, but it's not merged yet.
 [2015-05-24 06:19 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2015-05-24 06:19 UTC] yohgaki@php.net
PS_VALIDATE_SID() is implemented in 7.0.
Save handler authors must support PS_VALIDATE_SID() to enable strict mode.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Dec 05 04:05:52 2022 UTC