[FX.php List] PHP Session ID isn't restricted to HTTPS connections
Jonathan Schwartz
jschwartz at exit445.com
Wed Sep 15 11:30:32 MDT 2010
Thanks Gareth and Leo.
I think that that is it. If someone were to edit the URL and drop the
"S", the system would still work.
Is that a realistic security risk...planning for an end user editing
the URL and compromising their own session? Or, is there more to it
than that?
Also, I tried two sites: Apple and Amazon. Apple didn't mind the "S"
removal. Amazon flipped it back to https automatically. Not a very
exhaustive study. ;-)
Will implement shortly.
Thanks again.
Jonathan
>You could also set up the host in the web server configuration so
>that it forces HTTPS. That way its centrally maintained (instead of
>in a bunch of PHP files) and there's not much risk that you forget
>about it in a specific page.
>
>
>15 sep 2010 kl. 18.50 skrev Gareth Evans:
>
>>I'd hazard a guess that he means if you drop the S from the HTTPS
>>the session is retained, ie. User enters the form via https, php
>>session is initialized, user can drop the S and still fill out the
>>form "unsecured".
>>
>>If the form is supposed to be only used over https you should add a
>>check for that at the top of the page if you haven't already.
>>Something like the following should do the trick.
>>
>>If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>> header("Location:
>><https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']>https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
>>}
>>--
>>GARETH EVANS
>>
>>
>>> From: Jonathan Schwartz
>>><<x-msg://1009/jschwartz@exit445.com>jschwartz at exit445.com>
>>> Reply-To: "FX.php Discussion List"
>>><<x-msg://1009/fx.php_list@mail.iviking.org>fx.php_list at mail.iviking.org>
>>> Date: Wed, 15 Sep 2010 09:18:05 -0700
>>> To:
>>><<x-msg://1009/fx.php_list@mail.iviking.org>fx.php_list at mail.iviking.org>
>>> Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS connections
>>>
>>> Hi Folks,
>>>
>>> Putting our security hat on now....
>>>
>>> "PHP Session ID isn't restricted to HTTPS connections"
>>>
>>> I received this feedback from an individual regarding a secure web
>>> form. I'm not really sure what it is referring to.
>>>
>>> Any help?
>>>
>>> Jonathan
>>> --
>>> Jonathan Schwartz
>>> Exit 445 Group
>>> <x-msg://1009/jonathan@exit445.com>jonathan at exit445.com
>>> <http://www.exit445.com/>http://www.exit445.com
>>> 415-370-5011
>>> _______________________________________________
>>> FX.php_List mailing list
>>> <x-msg://1009/FX.php_List@mail.iviking.org>FX.php_List at mail.iviking.org
>>>
>>><http://www.iviking.org/mailman/listinfo/fx.php_list>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>_______________________________________________
>>FX.php_List mailing list
>><mailto:FX.php_List at mail.iviking.org>FX.php_List at mail.iviking.org
>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
>
>
>-|
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list
--
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20100915/e76283b3/attachment.html
More information about the FX.php_List
mailing list