Urgent, PHP session, Two people come in with the same session

wmac

Hello,

I have a community website and use sessions for login.

Almost entire ISPs use cache+proxy. Now when two person from one ISP come into my website (naturally with the same cache server IP) they may go into each other's accounts.

Then they attack me "Hey Mr Admin what's up with your messy site! this time I am gone into a Mr. B's account.

My login code starts with something like this :

session_cache_limiter('nocache');
session_set_cookie_params(100000);
session_start();
session_register("curruserid");
session_register("currusername");
session_register("curruseremail");
session_register("curruserfirstname");
session_register("curruserffirstname");

then I use the $_SESSION[] to read and set the session variables.

Can someone with the same experience please help me solve this huge problem.

Regards,
Mac

TruckStuff

Check out this article for a discussion of expiring web pages: http://www.php-mag.net/itr/online_artikel/psecom,id,637,nodeid,114.html

wmac

Hello, My problem is about sessions (two people login and they have the same session).

Would you please tell me how you relate sessions to browsea etc?

rehfeld

are you passing the session id through the url?

if so, thats a huge security risk.

all it takes is for one of your users to cut and paste the url to a public forum like this and then ANYONE who clicks on that link has instantly hijacked that session, even if they didnt intend to do so.

if its not that, maybe you just have gaping holes in your code. for example,

are you using register globals?
do you initialize all your variables?
do you properly check ALL user input before using it?

those are just a few of the basics, security is an enormous topic.

i would start on google and search for php session security.

you can tighten up your session, theres various directives you can apply.

goto http://www.php.net/session and read the entire page, and follow the links to learn about each individaul option.

wmac

Really thank you.

1- Yes. PHPSESSID is being sent with the URL but it is set in all Cpanel servers ( a type of control panel) by default. How can I turn it off for my own site?

But this reduces the chance of caching the pages. Isn't it?

2- Server has register_globals ON but it is a shared server. however I never, anywhere use global registers for sessions, post and get data etc.. and I do a lot of checking (I even cast the type to correct type, check the content of variable to avoid SQL injection ...).

3- Should I use 'private' instead of 'nocache'?

4- Also I had problem with smaller times (for session) so I have put 100000. Should I reduce this ? Will it help?

Regards,
Mac

rehfeld

yes you can change that

ini_set('session.use_trans_sid', 0); // php wont add sess_id to urls anymore
ini_set('session.use_only_cookies', 1); // php wont even accept sid's unless its from a cookie now.

you can do the above in .htaccess too so you dont need to do it in ever script

i wouldnt worry about your pages being cached. if your sending a nocache header that should take care of it

you might wanna read up on http and the cache control headers, but thats another subject.

i usually send this header

header('Cache-control: private, must-revalidate');

private means the only thing that is allowed to cache it is the browser itself, not other caches. but its possible nocache might be what you want in your particular situation. the private header is usefull when dealing w/ input forms, because internet exploder has a bug and sending the private header fixes it. thats off subject though.

it sounds like your pretty thurough checking your user input. thats good. you can still turn register globals off if you can use .htaccess though.

php_flag register_globals off

i wouldnt be too concerned about the session.cookie_lifetime(if thats what you set to 100000). that does seem kinda long though. unless you need it that long, you might wanna reduce it a bit.

i really think you were being hacked because of passing the sid through the url. stop doing that and you have eliminated that hole. now the only way they can do that is if they hijack the users cookies, which is very hard to do.

you could further beef up security by looking at session.referrer_check, but this is just icing on the cake, its not really meant to prevent hackers, its more meant to help when your passing the sid through the url, if someone posts that url on a message board. it keep everyone who clicks on the link from accidently hijacking the session, but its not fail proof. if the browser doesnt send a referrer header at all, this directive will be totally ignored and wont help. but i dont see many drawbacks to using it, just mainly benefits(even w/ cookies) so every bit helps.

you could expand upon the above concept and do a check on the browsers user_agent as well. i would NOT recomend doing that w/ the ip address though, because people have dynamic ips that sometimes change on every page. but the browser does not change, so you can safely block all session requests unless the user_agent matches the value you recorded when you first started the session. heres a simple example


session_start();

// if we have not recorded thier user_agent yet, do it
if (!isset($_SESSION['HTTP_USER_AGENT'])) {
    $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
}

// now check if the current user_agent matches the one which started the session
if ($_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) {
    exit; // silently, dont give the hacker any hints as to why
}

wmac

Really thank you for your time. I learned very much.

Best Regards,
Mac