Session 7 Sessions and Cookies Justin C. Klein Keane firstname.lastname@example.org PHP Code Auditing ©2009 Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Session • Session used to track data across page requests • Used to end run stateless nature of the web • Sessions tracked by an id • ID is stored server site based on php.ini specs • ID is stored client side as a cookie or URL parameter
©2009 Justin C. Klein Keane Starting a Session • Initializing a session: • <?php • session_start() • ...
©2009 Justin C. Klein Keane Session Variables Preserved • Session variable values are saved on the server and tied to each session id • Session variables are preserved across page requests • Information like user account data, shopping carts, etc. is typically stored in session
©2009 Justin C. Klein Keane Using Session Variables • $_SESSION is a superglobal variable • http://us3.php.net/manual/en/language.variables.superglobals.php • Variables in the $_SESSION array set and called in the same way as other superglobals • <?php • $_SESSION['user_id'] = $user_id; • echo $_SESSION['user_id']; • ....
©2009 Justin C. Klein Keane Session Collision • Sessions should be named per application • PHPSESSID is shared across a domain, so applications can share sessions • This can lead to single sign or OR • This can lead to unauthenticated access • Example...
©2009 Justin C. Klein Keane Naming a Session • <?php • session_name('myapp'); • session_start(); • Ensures a unique session
©2009 Justin C. Klein Keane Terminating a Session • Tearing down a session • <?php • session_destroy() • .... • Unset any sensitive variables • <?php • unset($var);
©2009 Justin C. Klein Keane Dangers of Session • Session ID's allow the holder to “adopt” the session • Be wary of restricting session to IP • Proxy and other problems • Using multiple cookie values can add “uniqueness” to sessions
©2009 Justin C. Klein Keane Session Leaking • Session ids are stored on the filesystem • Session ids in URLs can be leaked through referer data • Session ids in URLs can also get copied and pasted, and end up in log files • Session ids are also found in cookies
©2009 Justin C. Klein Keane Cookies • Cookies are nothing more than small text files • Cookies can be set by any site if the browser accepts them
©2009 Justin C. Klein Keane Setting Cookies • <?php • setcookie($name, $value, $expire, $path, $domain, $secure, $httponly); • ?> • Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time • There is no native server side tracking of cookie expiry
©2009 Justin C. Klein Keane Cookie Location • Domain and path determine requests for which the cookie will be submitted • Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa
©2009 Justin C. Klein Keane Cookie Security • Setting a cookie to secure indicates that the cookie will only be sent via HTTPS • This means the cookie will only be submitted with HTTPS requests • Be careful – you can set a cookie like this over HTTP!
©2009 Justin C. Klein Keane Accessing Cookies • Can be accessed via multiple superglobals: • <?php • echo $_COOKIE['foo']; • printr($_SERVER['HTTP_COOKIE']); • ...
©2009 Justin C. Klein Keane Sessions and Cookies • Session cookies can be configured in php.ini • Some relevant settings include: • session.cookie_secure • session.cookie_httponly • session.referer_check
©2009 Justin C. Klein Keane Session Security • Session fixation • Flaw in application logic that allows a users session id to be set • Especially dangerous when session id's in GET • Attacker can set cookies for another domain • Session predictability