1 / 18

PHP Code Auditing

Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu. PHP Code Auditing. PHP Session. Session used to track data across page requests Used to end run stateless nature of the web Sessions tracked by an id ID is stored server site based on php.ini specs

Faraday
Download Presentation

PHP Code Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu PHP Code Auditing ©2009 Justin C. Klein Keane

  2. ©2009 Justin C. Klein Keane PHP Session • Session used to track data across page requests • Used to end run stateless nature of the web • Sessions tracked by an id • ID is stored server site based on php.ini specs • ID is stored client side as a cookie or URL parameter

  3. ©2009 Justin C. Klein Keane Starting a Session • Initializing a session: • <?php • session_start()‏ • ...

  4. ©2009 Justin C. Klein Keane Session Variables Preserved • Session variable values are saved on the server and tied to each session id • Session variables are preserved across page requests • Information like user account data, shopping carts, etc. is typically stored in session

  5. ©2009 Justin C. Klein Keane Using Session Variables • $_SESSION is a superglobal variable • http://us3.php.net/manual/en/language.variables.superglobals.php • Variables in the $_SESSION array set and called in the same way as other superglobals • <?php • $_SESSION['user_id'] = $user_id; • echo $_SESSION['user_id']; • ....

  6. ©2009 Justin C. Klein Keane Session Collision • Sessions should be named per application • PHPSESSID is shared across a domain, so applications can share sessions • This can lead to single sign or OR • This can lead to unauthenticated access • Example...

  7. ©2009 Justin C. Klein Keane Naming a Session • <?php • session_name('myapp'); • session_start(); • Ensures a unique session

  8. ©2009 Justin C. Klein Keane Terminating a Session • Tearing down a session • <?php • session_destroy()‏ • .... • Unset any sensitive variables • <?php • unset($var);

  9. ©2009 Justin C. Klein Keane Dangers of Session • Session ID's allow the holder to “adopt” the session • Be wary of restricting session to IP • Proxy and other problems • Using multiple cookie values can add “uniqueness” to sessions

  10. ©2009 Justin C. Klein Keane Session Leaking • Session ids are stored on the filesystem • Session ids in URLs can be leaked through referer data • Session ids in URLs can also get copied and pasted, and end up in log files • Session ids are also found in cookies

  11. ©2009 Justin C. Klein Keane Cookies • Cookies are nothing more than small text files • Cookies can be set by any site if the browser accepts them

  12. ©2009 Justin C. Klein Keane Setting Cookies • <?php • setcookie($name, $value, $expire, $path, $domain, $secure, $httponly); • ?> • Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time • There is no native server side tracking of cookie expiry

  13. ©2009 Justin C. Klein Keane Cookie Location • Domain and path determine requests for which the cookie will be submitted • Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa

  14. ©2009 Justin C. Klein Keane Cookie Security • Setting a cookie to secure indicates that the cookie will only be sent via HTTPS • This means the cookie will only be submitted with HTTPS requests • Be careful – you can set a cookie like this over HTTP!

  15. ©2009 Justin C. Klein Keane Cookie Security (cont.)‏ • Setting the cookie to httponly is a VERY good idea in most circumstances • Only available in PHP 5.2 • Limits cookie access via HTTP only, JavaScript cannot access the cookie • This prevents XSS and Cookie theft attacks • Unfortunately the browser must support the behavior

  16. ©2009 Justin C. Klein Keane Accessing Cookies • Can be accessed via multiple superglobals: • <?php • echo $_COOKIE['foo']; • printr($_SERVER['HTTP_COOKIE']); • ...

  17. ©2009 Justin C. Klein Keane Sessions and Cookies • Session cookies can be configured in php.ini • Some relevant settings include: • session.cookie_secure • session.cookie_httponly • session.referer_check

  18. ©2009 Justin C. Klein Keane Session Security • Session fixation • Flaw in application logic that allows a users session id to be set • Especially dangerous when session id's in GET • Attacker can set cookies for another domain • Session predictability

More Related