PHP Code Auditing

pleasantrollΑσφάλεια

16 Φεβ 2014 (πριν από 3 χρόνια και 10 μήνες)

163 εμφανίσεις

©2009 Justin C. Klein Keane

PHP Code Auditing

Session 7 Sessions and Cookies

Justin C. Klein Keane

jukeane@sas.upenn.edu

©2009 Justin C. Klein Keane

PHP Session

Session used to track data across page requests

Used to end run stateless nature of the web

Sessions tracked by an id

ID is stored server site based on php.ini specs

ID is stored client side as a cookie or URL parameter

©2009 Justin C. Klein Keane

Starting a Session

Initializing a session:


<?php


session_start()



...

©2009 Justin C. Klein Keane

Session Variables Preserved

Session variable values are saved on the server
and tied to each session id

Session variables are preserved across page
requests

Information like user account data, shopping
carts, etc. is typically stored in session

©2009 Justin C. Klein Keane

Using Session Variables

$_SESSION is a superglobal variable

http://us3.php.net/manual/en/language.variables.superglobals.php

Variables in the $_SESSION array set and called
in the same way as other superglobals


<?php


$_SESSION['user_id'] = $user_id;


echo $_SESSION['user_id'];


....

©2009 Justin C. Klein Keane

Session Collision

Sessions should be named per application

PHPSESSID is shared across a domain, so
applications can share sessions

This can lead to single sign or OR

This can lead to unauthenticated access

Example...

©2009 Justin C. Klein Keane

Naming a Session

<?php


session_name('myapp');


session_start();


Ensures a unique session

©2009 Justin C. Klein Keane

Terminating a Session

Tearing down a session


<?php


session_destroy()



....

Unset any sensitive variables


<?php


unset($var);

©
2009
Justin C. Klein Keane

Dangers of Session

Session‏ID's‏allow‏the‏holder‏to‏“adopt”‏the‏
session

Be wary of restricting session to IP

Proxy and other problems

Using multiple cookie values can add
“uniqueness”‏to‏sessions

©2009 Justin C. Klein Keane

Session Leaking

Session ids are stored on the filesystem

Session ids in URLs can be leaked through
referer data

Session ids in URLs can also get copied and
pasted, and end up in log files

Session ids are also found in cookies

©2009 Justin C. Klein Keane

Cookies

Cookies are nothing more than small text files

Cookies can be set by any site if the browser
accepts them

©2009 Justin C. Klein Keane

Setting Cookies

<?php


setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

?>

Note that expiry is actually controlled by the
browser, which may or may not actually stop
using the cookie at the set time

There is no native server side tracking of cookie
expiry

©2009 Justin C. Klein Keane

Cookie Location

Domain and path determine requests for which
the cookie will be submitted

Cookies set to an HTTP domain will not be sent
to an HTTPS domain, and vice versa

©
2009
Justin C. Klein Keane

Cookie Security

Setting a cookie to secure indicates that the
cookie will only be sent via HTTPS

This means the cookie will only be submitted with
HTTPS requests

Be careful


you can set a cookie like this over HTTP!

©2009 Justin C. Klein Keane

Cookie Security (cont.)


Setting the cookie to httponly is a VERY good
idea in most circumstances

Only available in PHP 5.2

Limits cookie access via HTTP only, JavaScript cannot
access the cookie

This prevents XSS and Cookie theft attacks

Unfortunately the browser must support the behavior

©2009 Justin C. Klein Keane

Accessing Cookies

Can be accessed via multiple superglobals:

<?php


echo $_COOKIE['foo'];


printr($_SERVER['HTTP_COOKIE']);


...

©
2009
Justin C. Klein Keane

Sessions and Cookies

Session cookies can be configured in php.ini

Some relevant settings include:

session.cookie_secure

session.cookie_httponly

session.referer_check

©
2009
Justin C. Klein Keane

Session Security

Session fixation

Flaw in application logic that allows a users session id
to be set

Especially dangerous when session id's in GET

Attacker can set cookies for another domain

Session predictability