PHP Code Auditing


16 févr. 2014 (il y a 5 années et 1 mois)

277 vue(s)

©2009 Justin C. Klein Keane

PHP Code Auditing

Session 7 Sessions and Cookies

Justin C. Klein Keane

©2009 Justin C. Klein Keane

PHP Session

Session used to track data across page requests

Used to end run stateless nature of the web

Sessions tracked by an id

ID is stored server site based on php.ini specs

ID is stored client side as a cookie or URL parameter

©2009 Justin C. Klein Keane

Starting a Session

Initializing a session:




©2009 Justin C. Klein Keane

Session Variables Preserved

Session variable values are saved on the server
and tied to each session id

Session variables are preserved across page

Information like user account data, shopping
carts, etc. is typically stored in session

©2009 Justin C. Klein Keane

Using Session Variables

$_SESSION is a superglobal variable

Variables in the $_SESSION array set and called
in the same way as other superglobals


$_SESSION['user_id'] = $user_id;

echo $_SESSION['user_id'];


©2009 Justin C. Klein Keane

Session Collision

Sessions should be named per application

PHPSESSID is shared across a domain, so
applications can share sessions

This can lead to single sign or OR

This can lead to unauthenticated access


©2009 Justin C. Klein Keane

Naming a Session




Ensures a unique session

©2009 Justin C. Klein Keane

Terminating a Session

Tearing down a session




Unset any sensitive variables



Justin C. Klein Keane

Dangers of Session


Be wary of restricting session to IP

Proxy and other problems

Using multiple cookie values can add

©2009 Justin C. Klein Keane

Session Leaking

Session ids are stored on the filesystem

Session ids in URLs can be leaked through
referer data

Session ids in URLs can also get copied and
pasted, and end up in log files

Session ids are also found in cookies

©2009 Justin C. Klein Keane


Cookies are nothing more than small text files

Cookies can be set by any site if the browser
accepts them

©2009 Justin C. Klein Keane

Setting Cookies


setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);


Note that expiry is actually controlled by the
browser, which may or may not actually stop
using the cookie at the set time

There is no native server side tracking of cookie

©2009 Justin C. Klein Keane

Cookie Location

Domain and path determine requests for which
the cookie will be submitted

Cookies set to an HTTP domain will not be sent
to an HTTPS domain, and vice versa

Justin C. Klein Keane

Cookie Security

Setting a cookie to secure indicates that the
cookie will only be sent via HTTPS

This means the cookie will only be submitted with
HTTPS requests

Be careful

you can set a cookie like this over HTTP!

©2009 Justin C. Klein Keane

Cookie Security (cont.)

Setting the cookie to httponly is a VERY good
idea in most circumstances

Only available in PHP 5.2

Limits cookie access via HTTP only, JavaScript cannot
access the cookie

This prevents XSS and Cookie theft attacks

Unfortunately the browser must support the behavior

©2009 Justin C. Klein Keane

Accessing Cookies

Can be accessed via multiple superglobals:


echo $_COOKIE['foo'];



Justin C. Klein Keane

Sessions and Cookies

Session cookies can be configured in php.ini

Some relevant settings include:




Justin C. Klein Keane

Session Security

Session fixation

Flaw in application logic that allows a users session id
to be set

Especially dangerous when session id's in GET

Attacker can set cookies for another domain

Session predictability