session 7 sessions and cookies justin c klein keane jukeane@sas upenn edu n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
PHP Code Auditing PowerPoint Presentation
Download Presentation
PHP Code Auditing

Loading in 2 Seconds...

play fullscreen
1 / 18

PHP Code Auditing - PowerPoint PPT Presentation


  • 583 Views
  • Uploaded on

Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu. PHP Code Auditing. PHP Session. Session used to track data across page requests Used to end run stateless nature of the web Sessions tracked by an id ID is stored server site based on php.ini specs

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PHP Code Auditing' - Faraday


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
session 7 sessions and cookies justin c klein keane jukeane@sas upenn edu
Session 7 Sessions and Cookies

Justin C. Klein Keane

jukeane@sas.upenn.edu

PHP Code Auditing

©2009 Justin C. Klein Keane

php session
©2009 Justin C. Klein KeanePHP Session
  • Session used to track data across page requests
  • Used to end run stateless nature of the web
  • Sessions tracked by an id
    • ID is stored server site based on php.ini specs
    • ID is stored client side as a cookie or URL parameter
starting a session
©2009 Justin C. Klein KeaneStarting a Session
  • Initializing a session:
  • <?php
  • session_start()‏
  • ...
session variables preserved
©2009 Justin C. Klein KeaneSession Variables Preserved
  • Session variable values are saved on the server and tied to each session id
  • Session variables are preserved across page requests
  • Information like user account data, shopping carts, etc. is typically stored in session
using session variables
©2009 Justin C. Klein KeaneUsing Session Variables
  • $_SESSION is a superglobal variable
    • http://us3.php.net/manual/en/language.variables.superglobals.php
  • Variables in the $_SESSION array set and called in the same way as other superglobals
  • <?php
  • $_SESSION['user_id'] = $user_id;
  • echo $_SESSION['user_id'];
  • ....
session collision
©2009 Justin C. Klein KeaneSession Collision
  • Sessions should be named per application
  • PHPSESSID is shared across a domain, so applications can share sessions
  • This can lead to single sign or OR
  • This can lead to unauthenticated access
  • Example...
naming a session
©2009 Justin C. Klein KeaneNaming a Session
  • <?php
  • session_name('myapp');
  • session_start();
  • Ensures a unique session
terminating a session
©2009 Justin C. Klein KeaneTerminating a Session
  • Tearing down a session
  • <?php
  • session_destroy()‏
  • ....
  • Unset any sensitive variables
  • <?php
  • unset($var);
dangers of session
©2009 Justin C. Klein KeaneDangers of Session
  • Session ID's allow the holder to “adopt” the session
  • Be wary of restricting session to IP
    • Proxy and other problems
  • Using multiple cookie values can add “uniqueness” to sessions
session leaking
©2009 Justin C. Klein KeaneSession Leaking
  • Session ids are stored on the filesystem
  • Session ids in URLs can be leaked through referer data
  • Session ids in URLs can also get copied and pasted, and end up in log files
  • Session ids are also found in cookies
cookies
©2009 Justin C. Klein KeaneCookies
  • Cookies are nothing more than small text files
  • Cookies can be set by any site if the browser accepts them
setting cookies
©2009 Justin C. Klein KeaneSetting Cookies
  • <?php
  • setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
  • ?>
  • Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time
  • There is no native server side tracking of cookie expiry
cookie location
©2009 Justin C. Klein KeaneCookie Location
  • Domain and path determine requests for which the cookie will be submitted
  • Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa
cookie security
©2009 Justin C. Klein KeaneCookie Security
  • Setting a cookie to secure indicates that the cookie will only be sent via HTTPS
    • This means the cookie will only be submitted with HTTPS requests
    • Be careful – you can set a cookie like this over HTTP!
cookie security cont
©2009 Justin C. Klein KeaneCookie Security (cont.)‏
  • Setting the cookie to httponly is a VERY good idea in most circumstances
    • Only available in PHP 5.2
    • Limits cookie access via HTTP only, JavaScript cannot access the cookie
    • This prevents XSS and Cookie theft attacks
    • Unfortunately the browser must support the behavior
accessing cookies
©2009 Justin C. Klein KeaneAccessing Cookies
  • Can be accessed via multiple superglobals:
  • <?php
  • echo $_COOKIE['foo'];
  • printr($_SERVER['HTTP_COOKIE']);
  • ...
sessions and cookies
©2009 Justin C. Klein KeaneSessions and Cookies
  • Session cookies can be configured in php.ini
  • Some relevant settings include:
    • session.cookie_secure
    • session.cookie_httponly
    • session.referer_check
session security
©2009 Justin C. Klein KeaneSession Security
  • Session fixation
    • Flaw in application logic that allows a users session id to be set
    • Especially dangerous when session id's in GET
    • Attacker can set cookies for another domain
  • Session predictability