#25084 [Opn->Fbk]: session.referer_check is ignored by session_start() function

iliaa Thu, 14 Aug 2003 15:22:33 -0700

 ID:               25084
 Updated by:       [EMAIL PROTECTED]
 Reported By:      mrmax063 at maxempire dot com
-Status:           Open
+Status:           Feedback
 Bug Type:         Session related
 Operating System: Windows XP
 PHP Version:      4CVS-2003-08-13 (stable)
 New Comment:


Are you register_globals on or off?


Previous Comments:
------------------------------------------------------------------------

[2003-08-13 18:47:28] mrmax063 at maxempire dot com

I forgot to mention that I'm running PHP as server module under Apache
2.0.47 on Windows XP.

------------------------------------------------------------------------

[2003-08-13 18:42:53] mrmax063 at maxempire dot com

Description:
------------
Hi!

I've recently discovered that session_start() function ignores
session.referer_check settings. And to be sure, I even downloaded the
latest release in the 4CVS series, but the problem remains.

For example, if domain name where script is located is "example.com",
the session.referer_check should be set to "example.com". Now,
according to documentation, if someone tries to access the script from
another domain with valid session id embedded in the URL (i.e. by
following <A> link whose HREF parameter points to
http://example.com/session.php?PHPSESSID=sessionid...), PHP should
reset session id to another value. But, instead of this, session id
that's specified in the URL is accepted (even though HTTP_REFERER field
contains address of another domain).

Reproduce code:
---------------
<?php

ini_set('session.referer_check', 'example.com');

session_start();

if (!isset($_SESSION['count']))
{
    $_SESSION['count'] = 0;
}
else
{
    $_SESSION['count']++;
}

print('Counter: ' . $_SESSION['count'] . '<BR>');
print('Add this code to a page on *another* domain: &lt;A
HREF="http://example.com/session.php?PHPSESSID=' . session_id() .
'">HIJACK!&lt;/A><BR>');
print('HTTP_REFERER: ' . getenv('HTTP_REFERER'));

?>

Expected result:
----------------
When above script is accessed from another domain via <A> HTML tag and
session id is specified in the URL
("session.php?PHPSESSID=sessionid..."), session_start() function should
reset session id to another value, since HTTP_REFERER contains address
of another domain.

Actual result:
--------------
session_start() function accepts session id that's specified in the
URL, even though HTTP_REFERER contains address of another domain.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=25084&edit=1

#25084 [Opn->Fbk]: session.referer_check is ignored by session_start() function

Reply via email to