Re: [Wikitech-l] Is the $_SESSION secure?
* Robert Leverington rob...@rhl.me.uk [Fri, 24 Sep 2010 06:57:03 +0100]: On 2010-09-24, Dmitriy Sintsov wrote: One probably can rename it to another temporary name? Then move to final location during the next request, according to previousely passed cookie? Speaking of cookies, there are millions ways of looking at them, FF's WebDeveloper extension, HTTP headers extension, Wireshark application to name just few. Absolutely non-secure, when unencrypted. Session data is not stored in cookies, only a unique session identifier is passed to the client. I think the question wasn't about the session data (part of which (username,id) is passed via cookies, but you're right, only a hash), but about uploading the file in few stages. Dmitriy ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
On 24/09/10 01:36, Neil Kandalgaonkar wrote: Good point, but in this case I'm just storing the path to a temporary file. The file isn't even sensitive data; it's just a user-uploaded media file for which the user has not yet selected a license, although we anticipate they will in a few minutes. Hello Neil, The file path might be sensitive, you do not want to potentially expose your path hierarchy. At least, I would not do it :) About your issue, assuming the media file has been entered in the image/media database table : - When the user is redirected to a new page upon upload, you might just pass the file ID by parameter / session. - When the user is allowed to upload several files and then is prompted for licences, you might just look at the database for files owned by user for which licence is null. -- Ashar Voultoiz ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
Neil: Yes. Tim Starling wrote: On 24/09/10 10:00, Marco Schuster wrote: If it's user-uploaded, take care of garbage collection; actually, how does PHP handle it if you upload a file and then don't touch it during the script's runtime? Will it automatically be deleted after the script is finished or after a specific time? It's deleted on request shutdown. -- Tim Starling If the file is not moved away, there's no point in storing its path in $_SESSION as it won't be available on next request (it could be used for parameter passing in globals but that's not proper style). If the file is moved somewhere else, then you need to garbage collect it in case the upload is never finished. A find -delete from cron removing files other than a couple of days could be enough. It would be nice to be able to attach delete handlers to memcached keys for the cases when there's something more that needs deleting (this is the same problem we also had with the temp dbs for selenium tests). ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Is the $_SESSION secure?
I have been making the assumption that in MediaWiki, the $_SESSION is hidden from the user. While applications may use the session to obtain data that's later shown to the user, there should be no way for the user to obtain the entire $_SESSION contents. So, for instance, I can hide a temporary secret there. Is that a good assumption? -- Neil Kandalgaonkar ( ) ne...@wikimedia.org ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
2010/9/23 Neil Kandalgaonkar ne...@wikimedia.org: I have been making the assumption that in MediaWiki, the $_SESSION is hidden from the user. While applications may use the session to obtain data that's later shown to the user, there should be no way for the user to obtain the entire $_SESSION contents. So, for instance, I can hide a temporary secret there. Is that a good assumption? As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK. Roan Kattouw (Catrope) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK. The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily. -- Ryan Lane ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
In fact, I advised Aurthur not to store exactly that (credit card information) in sessions for this reason - but I also think there are few things that are as sensitive as credit card information, passwords, and social security numbers. - Trevor On 9/23/10 2:24 PM, Ryan Lane wrote: As far as I know, yes. MediaWiki sets a session cookie with an ID that uniquely identifies the session. The session data itself is stored in some session storage (by default we let PHP handle it, on WMF we stick it in memcached, I believe). So unless there's some ridiculous vulnerability allowing people to obtain the value of arbitrary keys in $_SESSION, you should be fine AFAIK. The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily. -- Ryan Lane ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
On 9/23/10 2:24 PM, Ryan Lane wrote: The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily. Good point, but in this case I'm just storing the path to a temporary file. The file isn't even sensitive data; it's just a user-uploaded media file for which the user has not yet selected a license, although we anticipate they will in a few minutes. -- Neil Kandalgaonkar ( ) ne...@wikimedia.org ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
On Fri, Sep 24, 2010 at 1:36 AM, Neil Kandalgaonkar ne...@wikimedia.org wrote: On 9/23/10 2:24 PM, Ryan Lane wrote: The contents of that session on the server are unencrypted, correct? Depending on what the secret is, he may or may not want to use it. For instance, that is probably a terrible place to put credit card numbers temporarily. Good point, but in this case I'm just storing the path to a temporary file. The file isn't even sensitive data; it's just a user-uploaded media file for which the user has not yet selected a license, although we anticipate they will in a few minutes. If it's user-uploaded, take care of garbage collection; actually, how does PHP handle it if you upload a file and then don't touch it during the script's runtime? Will it automatically be deleted after the script is finished or after a specific time? Marco -- VMSoft GbR Nabburger Str. 15 81737 München Geschäftsführer: Marco Schuster, Volker Hemmert http://vmsoft-gbr.de ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Is the $_SESSION secure?
On 2010-09-24, Dmitriy Sintsov wrote: One probably can rename it to another temporary name? Then move to final location during the next request, according to previousely passed cookie? Speaking of cookies, there are millions ways of looking at them, FF's WebDeveloper extension, HTTP headers extension, Wireshark application to name just few. Absolutely non-secure, when unencrypted. Session data is not stored in cookies, only a unique session identifier is passed to the client. Robert ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l