It looks like someone trying to guess existing cookies and retrieve session information for existing sessions. Based on the cookie format, I am guessing the sessions are actually controlled by PHP - you can add some code to log IP address and cookie combinations and see if there is a patterns.
I am pretty sure sess_rfc1867-tests-post is a cookie name from the PHP test suite. The other examples you gave look like what might happen if you set a custom session handler and didn't add a unique value for each session. If you are worried about actual session hijacking, store the client IP address in the session and don't let other IPs use it and/or consider an application firewall that can detect these things (no specific recommendation). - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Fri, Sep 7, 2018, 1:17 AM John <john.ili...@iliffe.ca> wrote: > Beginning last Sunday (2 September) I have been finding several oddly named > session cookies each day on my server. The normal Apache session cookies > have > names like "sess_d50280ded90f1dbd48fcfd5fc77baa77". These new ones have > names > like: > > sess_mycustomsession > sess_sessionidhere > > > The content seems strange too, although so far I haven't found anything > important in one of the. The owner name is often mine, although some have > "php-fpm" as the file owner. > > Here is an example: > > cookie name: sess_rfc1867-tests-post > > cookie content: > > > upload_progress_rfc1867_sid_only_cookie_2.php|a:5:{s:10:"start_time";i:153591608 > > 5;s:14:"content_length";i:603;s:15:"bytes_processed";i:603;s:4:"done";b:1;s:5:"f > > iles";a:2:{i:0;a:7:{s:10:"field_name";s:5:"file1";s:4:"name";s:9:"file1.txt";s:8 > > :"tmp_name";s:14:"/tmp/phpQWrbXC";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_tim > > e";i:1535916085;s:15:"bytes_processed";i:1;}i:1;a:7:{s:10:"field_name";s:5:"file > > 2";s:4:"name";s:9:"file2.txt";s:8:"tmp_name";s:14:"/tmp/phpSoCWFv";s:5:"error";i > > :0;s:4:"done";b:1;s:10:"start_time";i:1535916085;s:15:"bytes_processed";i:1;}}} > > Does anyone have any idea what these are and if I have some sort of a > compromise > to the server going on? > > Thanks in advance. > > John > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >