Re: [PHP] Why is this secure?

Tue, 17 Feb 2009 00:13:19 -0800 

On Mon, 2009-02-16 at 20:23 -0500, Sean DeNigris wrote:
> lol, neither.  It was from a site I had coded.  I read an article  
> about session fixation and it seemed vulnerable based on what I read,  
> but when I tested it, it didn't seem to be and I wasn't sure why.
> What made you think that?
> 
> - Sean
> 
> On Feb 16, 2009, at 8:16 PM, Ashley Sheridan wrote:
> 
> > On Mon, 2009-02-16 at 13:49 -0500, Sean DeNigris wrote:
> >> Hi all!  The following code seems like it should be open to session
> >> fixation attacks, but is not.  Why?!
> >>
> >> This is the beginning of the private page...
> >> <?php
> >> session_start();
> >> if (!isset($_SESSION['user']))
> >> {
> >>    header("Location: http://[address of login page]? 
> >> requestedpage=[token
> >> for this page]");
> >>    exit();
> >> }
> >> ....
> >>
> >> If an attacker caused a known user to request the above page with ?
> >> PHPSESSID=1234, the session_start would then register 1234 as the
> >> current session
> >>
> >> This is from the login page...
> >> <?php
> >> if($_POST['[a posted form var]'])
> >> {
> >>    // check submitted credentials against known users
> >>    $status = authenticate(...);
> >>    // if  user/pass combination is correct
> >>    if ($status == 1)
> >>    {
> >>            // initiate a session
> >>            session_start();
> >>    
> >>            // register some session variables
> >>            $_SESSION['XXXXXX] = filter($_POST['XX']);
> >>
> >>            // redirect to protected page
> >>            header("Location: ...[requested page]);
> >>            exit();
> >>    }
> >> }
> >>
> >> When the user logged in above, the session_start would use the  
> >> session
> >> cookie from the first session_start above and have a validated  
> >> session
> >> with an SID known to the attacker.
> >>
> >> However, the top snippet does not cause an SID to be recorded in a
> >> cookie, but the bottom one does.  Hence, the attack is prevented, but
> >> why?
> >>
> >> Thanks, cheers!
> >>
> >> - Sean
> >>
> > Erm, is this a trick question or your homework?
> >
> >
> > Ash
> > www.ashleysheridan.co.uk
> >
> 
> 
Lol, just seemed test-like, and I couldn't spot anything glaringly
obvious.


Ash
www.ashleysheridan.co.uk


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to