PHP Code Auditing - PowerPoint PPT Presentation

Faraday
session 7 sessions and cookies justin c klein keane jukeane@sas upenn edu n.
Skip this Video
Loading SlideShow in 5 Seconds..
PHP Code Auditing PowerPoint Presentation
Download Presentation
PHP Code Auditing

play fullscreen
1 / 18
Download Presentation
PHP Code Auditing
594 Views
Download Presentation

PHP Code Auditing

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu PHP Code Auditing ©2009 Justin C. Klein Keane

  2. ©2009 Justin C. Klein Keane PHP Session • Session used to track data across page requests • Used to end run stateless nature of the web • Sessions tracked by an id • ID is stored server site based on php.ini specs • ID is stored client side as a cookie or URL parameter

  3. ©2009 Justin C. Klein Keane Starting a Session • Initializing a session: • <?php • session_start()‏ • ...

  4. ©2009 Justin C. Klein Keane Session Variables Preserved • Session variable values are saved on the server and tied to each session id • Session variables are preserved across page requests • Information like user account data, shopping carts, etc. is typically stored in session

  5. ©2009 Justin C. Klein Keane Using Session Variables • $_SESSION is a superglobal variable • http://us3.php.net/manual/en/language.variables.superglobals.php • Variables in the $_SESSION array set and called in the same way as other superglobals • <?php • $_SESSION['user_id'] = $user_id; • echo $_SESSION['user_id']; • ....

  6. ©2009 Justin C. Klein Keane Session Collision • Sessions should be named per application • PHPSESSID is shared across a domain, so applications can share sessions • This can lead to single sign or OR • This can lead to unauthenticated access • Example...

  7. ©2009 Justin C. Klein Keane Naming a Session • <?php • session_name('myapp'); • session_start(); • Ensures a unique session

  8. ©2009 Justin C. Klein Keane Terminating a Session • Tearing down a session • <?php • session_destroy()‏ • .... • Unset any sensitive variables • <?php • unset($var);

  9. ©2009 Justin C. Klein Keane Dangers of Session • Session ID's allow the holder to “adopt” the session • Be wary of restricting session to IP • Proxy and other problems • Using multiple cookie values can add “uniqueness” to sessions

  10. ©2009 Justin C. Klein Keane Session Leaking • Session ids are stored on the filesystem • Session ids in URLs can be leaked through referer data • Session ids in URLs can also get copied and pasted, and end up in log files • Session ids are also found in cookies

  11. ©2009 Justin C. Klein Keane Cookies • Cookies are nothing more than small text files • Cookies can be set by any site if the browser accepts them

  12. ©2009 Justin C. Klein Keane Setting Cookies • <?php • setcookie($name, $value, $expire, $path, $domain, $secure, $httponly); • ?> • Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time • There is no native server side tracking of cookie expiry

  13. ©2009 Justin C. Klein Keane Cookie Location • Domain and path determine requests for which the cookie will be submitted • Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa

  14. ©2009 Justin C. Klein Keane Cookie Security • Setting a cookie to secure indicates that the cookie will only be sent via HTTPS • This means the cookie will only be submitted with HTTPS requests • Be careful – you can set a cookie like this over HTTP!

  15. ©2009 Justin C. Klein Keane Cookie Security (cont.)‏ • Setting the cookie to httponly is a VERY good idea in most circumstances • Only available in PHP 5.2 • Limits cookie access via HTTP only, JavaScript cannot access the cookie • This prevents XSS and Cookie theft attacks • Unfortunately the browser must support the behavior

  16. ©2009 Justin C. Klein Keane Accessing Cookies • Can be accessed via multiple superglobals: • <?php • echo $_COOKIE['foo']; • printr($_SERVER['HTTP_COOKIE']); • ...

  17. ©2009 Justin C. Klein Keane Sessions and Cookies • Session cookies can be configured in php.ini • Some relevant settings include: • session.cookie_secure • session.cookie_httponly • session.referer_check

  18. ©2009 Justin C. Klein Keane Session Security • Session fixation • Flaw in application logic that allows a users session id to be set • Especially dangerous when session id's in GET • Attacker can set cookies for another domain • Session predictability