[RESOLVED] "ZONE ALARM: Welcome Session Cookies - Kiss good-bye Private Security"

eurozaf

Hello again.
This thread is the continuing of the "Passing variables with Sessions".
The problem there was i couldn't pass variables with sessions and (as it was discovered thanks to Dalecosp. Also thanks to NogDog, bradgrafelman, stolzyboy, Bunkermaster) because of my Zone Alarm firewall.

The problem here is Zone Alarm firewall. (ZoneAlarm Pro version:5.5.062.011)
It blocks the session cookies, unless the Cookie Control and the Add Blocking levels at Privacy|Main dialog are set both to OFF! thus, leaving my privacy totally unprotected:eek:

For everyone who doesn't want to go through the entire thread "Passing variables with Sessions" in order to get the point of the subject, i'll summatize it:

[INDENT]My current session settings:[/INDENT]

session.auto_start 0
session.bug_compat_42 1
session.bug_compat_warn 1
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain

session.cookie_httponly

session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure

session.entropy_file

session.entropy_length 0
session.gc_divisor 100
session.gc_maxlifetime 1440
session.gc_probability 1
session.hash_bits_per_character 4
session.hash_function 0
session.name PHPSESSID
session.referer_check

session.save_handler files
session.save_path C:\php\sess\tmp
session.serialize_handler php
session.use_cookies 1
session.use_only_cookies 0
session.use_trans_sid 0

I have two files movie1.php and moviesite.php as shown below:

movie1.php:

<?php
// make sure there are no spaces or blank lines before the opening php tag
ini_set('display_errors', 1);          //**********
error_reporting(E_ALL);                //**********
session_start();                       //**********
if(session_id() == '')                 //NogDog's
{                                      //testing code
   echo "No session id created!!!";    //**********
   exit;                               //**********
}                                      //**********
$_SESSION['username']="Joe12345";
$_SESSION['authuser']=1;
?>
<html>
<head>
<title>Find my Favorite Movie!</title>
</head>
<body>
<?php
$myfavmovie = urlencode("Life of Brian");
echo "<a href='moviesite.php?favmovie=$myfavmovie'>";
echo "Click here to see information about my favorite movie!";
echo "</a>";
?>
<br><br>
</body>
<?php                 //*********
echo session_id();    //Dalecosp's
print_r($_SESSION);   //testing
exit;                 //code
?>                    //*********
</html>

moviesite.php:

<?php
// make sure there are no spaces or blank lines before the opening php tag
ini_set('display_errors', 1);          //**********
error_reporting(E_ALL);                //**********
session_start();                       //**********
if(session_id() == '')                 //NogDog's
{                                      //testing code
   echo "No session id created!!!";    //**********
   exit;                               //**********
}                                      //**********

//check to see if user has logged in with a valid passsword
if ($_SESSION['authuser'] != 1) {
  echo "Sorry, but you don't have permission to view this page.";
  echo "<br><br>";
  echo session_id();   //*******************
  print_r($_SESSION);  //Dalecosp's testing code
  exit;                //*******************
  exit();
}
?>
<html>
<head>
<title>My Movie Site - <?php echo $_REQUEST['favmovie']; ?></title>
</head>
<body>
<?php
echo "Welcome to our site, ";
echo $_SESSION['username'];
echo "! <br>";
echo "My favorite movie is ";
echo $_REQUEST['favmovie'];
echo "<br>";
$movierate = 5;
echo "My movie rating for this movie is: ";
echo $movierate;
?>
<br><br>
</body>
<?php                 //*********
echo session_id();    //Dalecosp's
print_r($_SESSION);   //testing
exit;                 //code
?>                    //*********
</html>

After running movie1.php and after clicking the link to moviesite.php, i kept on getting these outputs:

page1(http ://localhost/movie1.php):
Click here to see information about my favorite movie!

ec245c937a43a0bab7fe6d03fd91ff73Array ( [username] => Joe12345 [authuser] => 1 )

and

page2(http ://localhost/moviesite.php?favmovie=Life+of+Brian):
Notice: Undefined index: authuser in C:\Program Files\Apache Software Foundation\Apache2.2\test\moviesite.php on line 13
Sorry, but you don't have permission to view this page.

3fd5b037806e3fecb9faa955dfdcb7daArray ( )

The session_id of the 2nd page was different of that of the 1st one and also empty. Something was blocking the session cookie of the 1st page to be transferred to the 2nd one.
That was because of ZoneAlarm. Only when Cookie Control and the Add Blocking levels at Privacy|Main dialog were both set to OFF, the session cookies were allowed and the desired correct outputs appeared:

page1(http ://localhost/movie1.php):
Click here to see information about my favorite movie!

53b571dde88d6f8fb49dd12671833ad2Array ( [username] => Joe12345 [authuser] => 1 )

and

page2(http ://localhost/moviesite.php?favmovie=Life+of+Brian):
Welcome to our site, Joe12345!
My favorite movie is Life of Brian
My movie rating for this movie is: 5

53b571dde88d6f8fb49dd12671833ad2Array ( [username] => Joe12345 [authuser] => 1 )

Very nice! The problem was solved. But the problem that came up is that the settings at Privacy|Main dialog that had to be applied (Cookie Control😮FF, Add Blocking😮FF) are applied on all the web sites. I tried to apply them only on the "localhost" (as it is the location that i'm testing my php files) and leave Cookie Control:Medium, Add Blocking:High for the rest of the websites but i didn't make it.

Before, you suggest me to change my firewall, please take a look at the three attached files (where i describe with red color what i did and why, and also placed side by side the images of the relevant Dialog Boxes).

What should i do?

NogDog

Try turning session.use_trans_sid on in your PHP configuration.

bradgrafelman

As an alternative, you could have an page that starts a session and stores a test value, and on the next page you'd check for that test value. If it doesn't exist, we know the user is having issues with cookies, so from that point on you can pass the SID in the URL.

eurozaf

NogDog wrote:
Try turning session.use_trans_sid on in your PHP configuration.

Yes, thanks NogDog and bradgrafelman. That's the solution.
Also, although Dalecosp pointed me to this direction at his post (before i even ask my question!), i didn't realise session.use_trans_sid's importance in time.

eurozaf

At "Edit" (Edit/Delete Message) i can't find any "Delete" command.
How can i delete this post? (post #5)

dalecosp

I tend to think that perhaps we should suggest you change your firewall, although I realize that might not be a popular suggestion. 😉

Please keep in mind that IANAL and IANAPE (err, 'privacy expert'). However, as far as cookies go, I see no reason to be terribly alarmed, at least in the case of sites that you have observed to be relatively "safe", sites that have a written privacy policy that you have access to, and sites with no reputation for or record of privacy violations. I might also check on the WWW to see if there is any indication that the site/company that you are dealing with might have been implicated as a "data miner" or "address harvester", etc.

Also, I might use a software solution to eliminate all cookies when your browser is closed. The main use of a persistent cookie is identifying the browser as a previous visitor --- for example, tailoring advertising content based on your previous online behavior observed by the site; other uses would include "persistent logins" --- which is pretty stupid, methinks, and I hope you don't use such mechanisms (I guess you don't, since you've been rejecting all cookies up 'til now) and actual data storage (which no one in their right mind should really be doing). In the case of "previous visitor identification", if you clean all cookies after every site visit, the site won't be able to do much "tracking".

In any regard, you are going to have a tough time with a lot of internet sites if you refuse absolutely all cookies. If the Zone Alarm "cookie cutter" (heh) doesn't allow whitelisting, you might make do by setting your browser's cookies settings to basically reject all cookies, and then adding sites that you actually want to be able to use (and can't without 'cookies') to the "allowed sites" whitelist for IE.

When it comes to computer security, there are many more important things to worry about than cookies. Allow rogue software to access your computer is much more likely to lead to actual loss via identify theft, etc.

eurozaf

Hello,

I finally managed to log in the Zone Alarm User Forum (after continuous rejections) only to witness that many other ZA users have the same problem as mine.
So dalecosp, i will actually get your advice and replace my firewall. Do you have a good one in mind to suggest me? (freeware is preferred🙂 )

I mark this thread resolved. THANK YOU ALL. I 'll be visiting phpbuilder from time to time to get useful information about PHP. This Forum ROCKS!!!

dalecosp

eurozaf wrote:
Hello,

I finally managed to log in the Zone Alarm User Forum (after continuous rejections)

Caused by rejection of cookies? 😉 😃

So dalecosp, i will actually get your advice and replace my firewall. Do you have a good one in mind to suggest me? (freeware is preferred )

Well, a firewall isn't supposed to be responsible for cookie management. Browsers have built-in systems for management of cookies. A firewall is supposed to make sure that any software that "listens" on an internet socket is not accessed by machines from the internet without permission ("ingress filtering"), and, perhaps, that no software on your computer connects to any other machine on the internet without your knowledge or permission ("egress filtering").

If you can trust ZA to do that, then I suggest you set it to accept all cookies and manage your "cookie jar" with the IE controls. A good search at Google might reveal some of the sites that should be "rejected" (and, interestingly enough, Google itself might be one of them).

As for a different "firewall", I don't have many suggestions for Windows firewalls. Any machine with XP SP2 or higher has a built-in "ingress filtering" firewall; any machine with Vista has a firewall that does both "ingress" and "egress" filtering. The other products have tended to get "larger" as the marketing departments of companies like McAfee and Symantec (etc.) have requested more and more "security features" to sell more copies of their product. This has made the product more confusing to use IMHO for a great many users, and really, worth less (in terms of personal trust) to me than having a simple firewall, antivirus, or anti-spyware program that simply does one thing and does it well.

In the "freeware" world, there are mostly variants of four 'standard' firewalls: iptables, ipchains, ipf, and ipfw. Many people have created "Windows" adaptations of these firewalls; they can be found at places like sourceforge.net. Before I changed my firewall, I'd find an online firewall test and see what it said about my system. Indeed, I'd probably attempt to learn a little more about networking; some people are running firewalls today that don't really need them. A firewall on most LANs is often more problematic that helpful, unless you really know how to configure it.

Furthermore, many people are behind a NAT router, making it impossible to "get to" their computer unless you can compromise said router. If I ask for an "online firewall scan", it tells me port 80 is open; however, browsing to that port shows the status of my ISP's wireless link-up to the nearest city.

Generally speaking, if your computer has a publicly-addressable IP address, and you don't wish to offer services to the world or a limited subset of the world, then you should have a firewall in place that blocks all incoming traffic that isn't part of a "handshake" started by your machine of part of a previously established connection. Other than that, a firewall isn't much help, unless you don't trust the people on your LAN (and there are some that shouldn't be trusted, but hopefully not the one in your house, if indeed such exists).

Let me add by saying that a true "security nut" does run a firewall on every computer he has, but it's not a "point and shoot" solution; you would want a rule for every program and every machine on your LAN, and to keep the outside "bad guyz" out also as mentioned above.