user receiving someone else's session

denis67

Hi,

I've got a problem with my session ID since a couple of weeks.

User A is logging in and get a session file in /tmp/sess_f845d6...
the same session ID (the 32 digit number) is on user's A PC
in the /tmp/sess_... file there are some informations about the user A (name,...)

then a few hours after the information in the session file has changed and I found the name of user B in it !
but the user B didn't even connect this day....

so the problem is that the sess_f845d6 belongs no more to user A who gets the user B name, rights, menus...and so on....

and this usurpation process is happening randomly on the user and on the time it is happening....it's not easy to be debugged...

I tried to watch more acurately and get a log of which process is swapping the informations without finding it !

I have a MDK 8.2 linux system with apache 1.3.23 and PHP 4.2.1

I found other similar messages with this problem on other website (the php.net site for instance) and without solution....

has anybody even a clue to help me finding out the cause of this problem...

Regards,

Denis

tsinka

Hi,

please post the session settings (you can get them from e.g. the output of a little phpinfo() script).

Thomas

denis67

here are the session settings from an exctract of the php.ini file

[Session]
session.save_handler = files ; handler used to store/retrieve data
session.save_path = /tmp ; argument passed to save_handler
; in the case of files, this is the
; path where data files are stored
session.use_cookies = 1 ; whether to use cookies
session.name = PHPSESSID
; name of the session
; is used as cookie name
session.auto_start = 0 ; initialize session on request startup
session.cookie_lifetime = 36000 ; lifetime in seconds of cookie
; or if 0, until browser is restarted
session.cookie_path = / ; the path the cookie is valid for
session.cookie_domain = ; the domain the cookie is valid for
session.serialize_handler = php ; handler used to serialize data
; php is the standard serializer of PHP
session.gc_probability = 1 ; percentual probability that the
; 'garbage collection' process is started
; on every session initialization
session.gc_maxlifetime = 36000 ; after this number of seconds, stored
; data will be seen as 'garbage' and
; cleaned up by the gc process
session.referer_check = ; check HTTP Referer to invalidate
; externally stored URLs containing ids
session.entropy_length = 0 ; how many bytes to read from the file
session.entropy_file = ; specified here to create the session id
session.cache_limiter = nocache ; set to {nocache,private,public} to
; determine HTTP caching aspects
session.cache_expire = 600 ; document expires after n minutes

tsinka

Hmmm ... I read somewhere that php 4.2.1 has some bad session problems that have been fixed in later versions. Do you see a chance to upgrade to a recent version ?

Thomas

denis67

well it's a possibility, and I'll probably do it....

...but i have firstly to upgrade and test it on our development web site..

And Actually i wanted to find somewhere the reason of the bug if someone other got it in the past and then a release change log file I still didn't found about all the php versions but I went on the php.net site to read the bugs about sessions and i read nowhere someone having the exactly same problem (they were many other problems related to session )

I forgot to tell you I have the register_globals option to "ON" and I was wondering if this option could be one of the reason of my problem although it would not possible for me to put it off because i use the features of it in our scripts...

may be did you read somewhere else the same problem related to sessions ?

tsinka

Ok,

let's see what we can do ...

tell me more about the session logic. You're using session cookies, right ? You don't add the session ID as GET parameter to urls or as e.g. hidden field to forms.
There are no links that contain the session id in any way (?)
User A and User B don't use the same computer (?)

About register_globals:

register_globals shouldn't affect two different sessions (transfering data or something like that).

But you can badly mess up the session data depending on the code if you have register_globals set to on.

Example:

// inside script one
session_start();
....
session_register("avar");
$avar ="somevalue";
....


//inside script two
session_start();
....
// code that wasn't meant to deal with session data
$avar = "tempval";
....

With register_globals set to on the code in script two will overwrite the value if $avar in the session with the value tempval even if you didn't want to. This is why I'd recommend to always use a well known prefix with session variables, like e.g.

$_SESSION['sess_avar'] = 'avalue';

Don't use session_register() any more, just use $SESSION to store data in a session. Also make sure that a session variable never has the same name as a variable you use in a PHP script.
The same can be said for e.g. POST and GET variables. And never use $avar to access session,get,post .... variables. Always use the superglobal arrays $SESSION,$GET,$POST (introduced in PHP 4.1.0) .....

Just a few notes ...

Back to the problem ... post some code that deals with the sessions and tell me if any session information is added to links or forms.

Thomas

denis67

ok,

1.) it's right, i use cookie and the session ID is written in the /tmp directory
2.)right, no link contains the session ID
3.) user A and user B have distinct computers

well, about the register global thing, i think i'll will have to check my scripts because i think they'll be some who have an $iduser variable for other purpose as the variable stored in the session.

Ok, now for the code, i must say i use LDAP to authenticate, the user gives id and passwd and then if the bind with the LDAP server is done the session-register() the user ID which is written in the /tmp/sess_* file

here is a part of the code :
<?php
session_start();
...
if ($iduser != "")
{
// Destruction of the cookie on the server
session_destroy();
}
...
if (!(@ldap_bind($ds,$dn,$pwd)))
{
msgerror("Mot de passe invalide !");
}
else
{
$iduser=$uid;
session_register("iduser");

...
then i write somtehing to trace the problem when each people is connecting....

tsinka

I am still searching around a little bit to find something about session problems. I wonder if it might have something to do with the way how you authenticate users. Which LDAP server do you have ?

From what I can see so far your code might have some security holes because it is written in a "register_globals=on style".

Please post the complete authentication part of the script (as attachment if too big) including the HTML form.

Thomas

denis67

well, yes, I know now that the register_global option should be switched off, but this web site was developped for a few years and then this recommendation wasn't known and now it's a little bit hard to modify all the code....

our LDAP server is part of an nestcape product i don't remember the name...but it's all right with this ! no bug here....

ok, i'll put the ident.php file in attachment...here below auth.php

// auth.php
<?php
print"<HTML><HEAD>";
print"<TITLE>Identification</TITLE>";
print"</HEAD>";
print"<BODY onload=document.page1.uid.focus() BGCOLOR=\"#C3DCF3\" LINK=\"#0000FF\">";

print"<SCRIPT LANGUAGE=JavaScript>

function test()
{
document.page1.method = \"POST\";
document.page1.action = \"ident.php\";
document.page1.target = \"principal\";
document.page1.submit();
window.close();
}
</SCRIPT>";

print("<FORM NAME=page1>");
print("<CENTER><INPUT TYPE=text NAME=uid VALUE=\"\"><BR>Identifiant<BR>");
print("<INPUT TYPE=password NAME=pwd VALUE=\"\"><BR>Mot de passe<BR>\n<BR>");
print("<INPUT TYPE=hidden NAME=color VALUE=\"#FFFFFF\">");
print("<CENTER><A HREF=\"javascript:test()\" onMouseOut=\"MM_swapImgRestore()\" onMouseOver=\"MM_swapImage('envoyer','','images/envoyer_in.gif',1)\"> <IMG NAME=\"envoyer\" BORDER=0 SRC=\"images/envoyer.gif\"></A>");
print("</CENTER></FORM>");

print"</BODY></HTML>";

auth.php (authentication dialog box) --> ident.php (LDAP bind and registering of the session)

Denis