Sessions not expiring

Anon

I have created some PHP pages that require a user to login to access them. I have implemented the pages using the PHP session routines.

The problem I am running into is when the browser is closed, the session does not expire. I can copy the URL (with SID in it) and close the browser. If I load another browser window and paste the URL I am allowed back into the page.

Shouldnt the session have expired? I have the expiration of cookies set to 0 in the php.ini file. I have tweaked all the session variables in the PHP.ini file so I am at a loss as to what is going on.

What am I doing wrong here?

van__

You are doing nothing wrong, except for you are hijacking your own user sessions.

What you have encountered is the way a session can be hijacked, if a 3rd party get's the session ID, they can tehn use that session ID to take over the other users session.

How do you prevent this?
Well, that's the toughy.
You can have everything from the login on take place under an HTTPS connection or you could go so far as to not use the $HTTP_SESSION_VARS and write your own session object and then have all the client side session data sent out encrypted and then decrypted by your scripts.

Another thing you could do is tweak your session settings in the hpp.ini file. You can change the garbage collection to say 20 or 30 minute, so all sessions will be up for disposal sooner than the 2 hour current lifetime. Another thing you could do is raise the max probability, that control the likelyhood that a session will be trashed by the garbage collector at any given time.
But, be cautious with your changes and make sure to test, test test.

But, no matter what you do, once you have the session ID, that session is yours.

emcb_php

Im guessing youre using IE, which is crap. ive done thie exact thing before and got the secured data. But if you were to try with netscape it may fix your problem.

There could also be a problem with your server. When the session files are stored, they are not always deleted. So you could setup a cron to delete them every day or so.

Elfyn

van__

Ermmm...it doesn't matter what browser you have, if you get the session ID that session is at your command. Netscape or IE is not a factor here, what is a factor is whether or not a 3rd party can guess or grab that session ID from a packet sniffer (or from your own server if they have root) and then take control of the session.

There is no real way to prevent it either.

Keep in mind it's not like sessions are really secure. Just like anything else, they can be taken over by third parties. It's not like you can just say, ok... well, I'll have the IP in the session too and if the IP don't match I know it's a hacker. Because IP's change, and behind a proxy server, your IP can change between page requests.

So just how do you know that the person with the session ID is who they say they are?

Keep in mind too, that every languages sessions are insecure, it's just due to the nature of the internet and you should never take a stock user function at face value and think that it will ever provide 100% coverage. If you want better than so-so, you'll have to be creative and code for it.
PHP just like all other language only tries to provide the tools to make it happen, not provide a bunch of point and click solutions for disposable use.