Session 7 sessions and cookies justin c klein keane jukeane@sas upenn edu
Advertisement
This presentation is the property of its rightful owner.
1 / 18

PHP Code Auditing PowerPoint PPT Presentation

Session 7 Sessions and Cookies Justin C. Klein Keane [email protected] PHP Code Auditing. PHP Session. Session used to track data across page requests Used to end run stateless nature of the web Sessions tracked by an id ID is stored server site based on php.ini specs

Download Presentation

PHP Code Auditing

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Session 7 sessions and cookies justin c klein keane jukeane@sas upenn edu

Session 7 Sessions and Cookies

Justin C. Klein Keane

[email protected]

PHP Code Auditing

©2009 Justin C. Klein Keane


Php session

©2009 Justin C. Klein Keane

PHP Session

  • Session used to track data across page requests

  • Used to end run stateless nature of the web

  • Sessions tracked by an id

    • ID is stored server site based on php.ini specs

    • ID is stored client side as a cookie or URL parameter


Starting a session

©2009 Justin C. Klein Keane

Starting a Session

  • Initializing a session:

  • <?php

  • session_start()‏

  • ...


Session variables preserved

©2009 Justin C. Klein Keane

Session Variables Preserved

  • Session variable values are saved on the server and tied to each session id

  • Session variables are preserved across page requests

  • Information like user account data, shopping carts, etc. is typically stored in session


Using session variables

©2009 Justin C. Klein Keane

Using Session Variables

  • $_SESSION is a superglobal variable

    • http://us3.php.net/manual/en/language.variables.superglobals.php

  • Variables in the $_SESSION array set and called in the same way as other superglobals

  • <?php

  • $_SESSION['user_id'] = $user_id;

  • echo $_SESSION['user_id'];

  • ....


Session collision

©2009 Justin C. Klein Keane

Session Collision

  • Sessions should be named per application

  • PHPSESSID is shared across a domain, so applications can share sessions

  • This can lead to single sign or OR

  • This can lead to unauthenticated access

  • Example...


Naming a session

©2009 Justin C. Klein Keane

Naming a Session

  • <?php

  • session_name('myapp');

  • session_start();

  • Ensures a unique session


Terminating a session

©2009 Justin C. Klein Keane

Terminating a Session

  • Tearing down a session

  • <?php

  • session_destroy()‏

  • ....

  • Unset any sensitive variables

  • <?php

  • unset($var);


Dangers of session

©2009 Justin C. Klein Keane

Dangers of Session

  • Session ID's allow the holder to “adopt” the session

  • Be wary of restricting session to IP

    • Proxy and other problems

  • Using multiple cookie values can add “uniqueness” to sessions


Session leaking

©2009 Justin C. Klein Keane

Session Leaking

  • Session ids are stored on the filesystem

  • Session ids in URLs can be leaked through referer data

  • Session ids in URLs can also get copied and pasted, and end up in log files

  • Session ids are also found in cookies


Cookies

©2009 Justin C. Klein Keane

Cookies

  • Cookies are nothing more than small text files

  • Cookies can be set by any site if the browser accepts them


Setting cookies

©2009 Justin C. Klein Keane

Setting Cookies

  • <?php

  • setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

  • ?>

  • Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time

  • There is no native server side tracking of cookie expiry


Cookie location

©2009 Justin C. Klein Keane

Cookie Location

  • Domain and path determine requests for which the cookie will be submitted

  • Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa


Cookie security

©2009 Justin C. Klein Keane

Cookie Security

  • Setting a cookie to secure indicates that the cookie will only be sent via HTTPS

    • This means the cookie will only be submitted with HTTPS requests

    • Be careful – you can set a cookie like this over HTTP!


Cookie security cont

©2009 Justin C. Klein Keane

Cookie Security (cont.)‏

  • Setting the cookie to httponly is a VERY good idea in most circumstances

    • Only available in PHP 5.2

    • Limits cookie access via HTTP only, JavaScript cannot access the cookie

    • This prevents XSS and Cookie theft attacks

    • Unfortunately the browser must support the behavior


Accessing cookies

©2009 Justin C. Klein Keane

Accessing Cookies

  • Can be accessed via multiple superglobals:

  • <?php

  • echo $_COOKIE['foo'];

  • printr($_SERVER['HTTP_COOKIE']);

  • ...


Sessions and cookies

©2009 Justin C. Klein Keane

Sessions and Cookies

  • Session cookies can be configured in php.ini

  • Some relevant settings include:

    • session.cookie_secure

    • session.cookie_httponly

    • session.referer_check


Session security

©2009 Justin C. Klein Keane

Session Security

  • Session fixation

    • Flaw in application logic that allows a users session id to be set

    • Especially dangerous when session id's in GET

    • Attacker can set cookies for another domain

  • Session predictability


  • Login