[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Gjermund Gusland Thorsen ggt667 at gmail.com
Sun Sep 19 11:56:11 MDT 2010 

For http://site.com

you but only index.php
---
<?php
header( "Location: https://site.com" );
?>
---

For https://site.com you put your entire site.

ggt

2010/9/15 Leo R. Lundgren <leo at finalresort.org>:
>
> 15 sep 2010 kl. 19.30 skrev Jonathan Schwartz:
>
> I think that that is it. If someone were to edit the URL and drop the "S",
> the system would still work.
> Is that a realistic security risk...planning for an end user editing the URL
> and compromising their own session? Or, is there more to it than that?
>
> I'd be more worried that someone else compromise the users session, than the
> user himself. Whether this is likely or not depends on the level of threat
> that the client is facing. A company with some important (and known)
> information is more likely to experience directed attacks than an anonymous
> company, for example.
> In any case, building systems that are secure to some basic level is IMO the
> given choice. Why build an insecure system when there isn't that much work
> to take care of the basic types of vulnerabilities.
>
> You could also set up the host in the web server configuration so that it
> forces HTTPS. That way its centrally maintained (instead of in a bunch of
> PHP files) and there's not much risk that you forget about it in a specific
> page.
>
> 15 sep 2010 kl. 18.50 skrev Gareth Evans:
>
> I'd hazard a guess that he means if you drop the S from the HTTPS the
> session is retained, ie. User enters the form via https, php session is
> initialized, user can drop the S and still fill out the form "unsecured".
>
> If the form is supposed to be only used over https you should add a check
> for that at the top of the page if you haven't already. Something like the
> following should do the trick.
>
> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
> }
> --
> GARETH EVANS
>
>
>> From: Jonathan Schwartz <jschwartz at exit445.com>
>> Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>> Date: Wed, 15 Sep 2010 09:18:05 -0700
>> To: <fx.php_list at mail.iviking.org>
>> Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS
>> connections
>>
>> Hi Folks,
>>
>> Putting our security hat on now....
>>
>> "PHP Session ID isn't restricted to HTTPS connections"
>>
>> I received this feedback from an individual regarding a secure web
>> form.  I'm not really sure what it is referring to.
>>
>> Any help?
>
>
> -|
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>

More information about the FX.php_List mailing list