[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Leo R. Lundgren leo at finalresort.org
Tue Sep 21 15:47:38 MDT 2010


Err, i meant, "you have two virtual hosts per domain, right?" (for the domains where you support HTTPS and have an entry point via HTTP as well, that you want to redirect to HTTPS).


21 sep 2010 kl. 23.38 skrev Leo R. Lundgren:

> You have a virtual host per domain, right? One for HTTP and one for HTTPS.
> 
> If we assume that, and that you are running Apache HTTPD, you can place the following inside the vhost for HTTP:
> 
> 	<IfModule mod_alias.c>
> 		Redirect permanent "/" "https://site.com/"
> 	</IfModule>
> 
> This will make sure that all requests to this vhost are directed to the specified HTTPS address. And yes, it works with filenames in the original URI, so for example http://site.com/oh-my-filename.php will redirect the browser to https://site.com/oh-my-filename.php and not just http://site.com/.
> 
> So in short, make the HTTP vhost redirect to the HTTPS one.
> 
> 
> 21 sep 2010 kl. 20.15 skrev Gjermund Gusland Thorsen:
> 
>> For all domains? How would you do that pr domain?
>> 
>> 2010/9/19 Leo R. Lundgren <leo at finalresort.org>:
>>> This is flawed in a number of ways. It's better to force HTTPS in the web server configuration.
>>> 
>>> 
>>> 19 sep 2010 kl. 19.56 skrev Gjermund Gusland Thorsen:
>>> 
>>>> For http://site.com
>>>> 
>>>> you but only index.php
>>>> ---
>>>> <?php
>>>> header( "Location: https://site.com" );
>>>> ?>
>>>> ---
>>>> 
>>>> For https://site.com you put your entire site.
>>>> 
>>>> ggt
>>>> 
>>>> 2010/9/15 Leo R. Lundgren <leo at finalresort.org>:
>>>>> 
>>>>> 15 sep 2010 kl. 19.30 skrev Jonathan Schwartz:
>>>>> 
>>>>> I think that that is it. If someone were to edit the URL and drop the "S",
>>>>> the system would still work.
>>>>> Is that a realistic security risk...planning for an end user editing the URL
>>>>> and compromising their own session? Or, is there more to it than that?
>>>>> 
>>>>> I'd be more worried that someone else compromise the users session, than the
>>>>> user himself. Whether this is likely or not depends on the level of threat
>>>>> that the client is facing. A company with some important (and known)
>>>>> information is more likely to experience directed attacks than an anonymous
>>>>> company, for example.
>>>>> In any case, building systems that are secure to some basic level is IMO the
>>>>> given choice. Why build an insecure system when there isn't that much work
>>>>> to take care of the basic types of vulnerabilities.
>>>>> 
>>>>> You could also set up the host in the web server configuration so that it
>>>>> forces HTTPS. That way its centrally maintained (instead of in a bunch of
>>>>> PHP files) and there's not much risk that you forget about it in a specific
>>>>> page.
>>>>> 
>>>>> 15 sep 2010 kl. 18.50 skrev Gareth Evans:
>>>>> 
>>>>> I'd hazard a guess that he means if you drop the S from the HTTPS the
>>>>> session is retained, ie. User enters the form via https, php session is
>>>>> initialized, user can drop the S and still fill out the form "unsecured".
>>>>> 
>>>>> If the form is supposed to be only used over https you should add a check
>>>>> for that at the top of the page if you haven't already. Something like the
>>>>> following should do the trick.
>>>>> 
>>>>> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>>>>>   header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
>>>>> }
>>>>> --
>>>>> GARETH EVANS
>>>>> 
>>>>> 
>>>>>> From: Jonathan Schwartz <jschwartz at exit445.com>
>>>>>> Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>>>>>> Date: Wed, 15 Sep 2010 09:18:05 -0700
>>>>>> To: <fx.php_list at mail.iviking.org>
>>>>>> Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS
>>>>>> connections
>>>>>> 
>>>>>> Hi Folks,
>>>>>> 
>>>>>> Putting our security hat on now....
>>>>>> 
>>>>>> "PHP Session ID isn't restricted to HTTPS connections"
>>>>>> 
>>>>>> I received this feedback from an individual regarding a secure web
>>>>>> form.  I'm not really sure what it is referring to.
>>>>>> 
>>>>>> Any help?
>>>>> 
>>>>> 
>>>>> -|
>>>>> 
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>> 
>>>>> 
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>> 
>>> 
>>> 
>>> -|
>>> 
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>> 
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
> 
> -|
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



-|



More information about the FX.php_List mailing list