ID: 26119 Updated by: [EMAIL PROTECTED] Reported By: glattfahrservice at web dot de Status: Bogus Bug Type: Session related Operating System: Windows XP Professional PHP Version: 4.3.4 New Comment:
This is a feature actually. And the safe way is: Use only cookies and change the ID after login, for example. (see http://www.php.net/session_regenerade_id ) Previous Comments: ------------------------------------------------------------------------ [2003-11-05 05:22:28] glattfahrservice at web dot de Of course I know about the possibilities to hijack a session. I just wanted to point out that it SHOULD be checked if the session-ID passed to the script has been generated by the system before. If I understand it correctly, a possible attacker can just call a script 1 Million times with random session-IDs and these sessions are then automatically created in the system. There must be a way around this! Cheers, Dan. ------------------------------------------------------------------------ [2003-11-04 15:41:41] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php The checks only validate the session id for special characters etc... You've come across the inherit vulnerability of URL session. Anyone can modify their value and should they stumble across a valid session id of another user become that user. ------------------------------------------------------------------------ [2003-11-04 14:04:24] glattfahrservice at web dot de Description: ------------ Normally PHP is using some clever algorithms to provide for safe and unique SESSION-IDs. However, when a simple session-id is passed to the script in which session_start() is called, a session with the given ID is generated. e.g.: www.test.com/index.php&PHPSESSID=blabla should not be accepted and a new SESSION-ID should be generated for the session. BUT: this session-ID (blabla) is obviously valid and not rejected. Functionality is not impaired, but right now a visitor is able to "choose" his own session-id. Not very safe, right? I have disabled cookies and turned off trans-sid. Ciao, Dan. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=26119&edit=1