[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Leo R. Lundgren leo at finalresort.org
Wed Sep 15 12:44:52 MDT 2010


15 sep 2010 kl. 19.30 skrev Jonathan Schwartz:

> I think that that is it. If someone were to edit the URL and drop the "S",  the system would still work.
> Is that a realistic security risk...planning for an end user editing the URL and compromising their own session? Or, is there more to it than that?

I'd be more worried that someone else compromise the users session, than the user himself. Whether this is likely or not depends on the level of threat that the client is facing. A company with some important (and known) information is more likely to experience directed attacks than an anonymous company, for example.

In any case, building systems that are secure to some basic level is IMO the given choice. Why build an insecure system when there isn't that much work to take care of the basic types of vulnerabilities.

>> You could also set up the host in the web server configuration so that it forces HTTPS. That way its centrally maintained (instead of in a bunch of PHP files) and there's not much risk that you forget about it in a specific page.
>> 
>> 
>> 15 sep 2010 kl. 18.50 skrev Gareth Evans:
>> 
>>> I'd hazard a guess that he means if you drop the S from the HTTPS the session is retained, ie. User enters the form via https, php session is initialized, user can drop the S and still fill out the form "unsecured".
>>> 
>>> If the form is supposed to be only used over https you should add a check for that at the top of the page if you haven't already. Something like the following should do the trick.
>>> 
>>> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>>>    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
>>> }
>>> --
>>> GARETH EVANS
>>> 
>>> 
>>> > From: Jonathan Schwartz <jschwartz at exit445.com>
>>> > Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>>> > Date: Wed, 15 Sep 2010 09:18:05 -0700
>>> > To: <fx.php_list at mail.iviking.org>
>>> > Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS connections
>>> >
>>> > Hi Folks,
>>> >
>>> > Putting our security hat on now....
>>> >
>>> > "PHP Session ID isn't restricted to HTTPS connections"
>>> >
>>> > I received this feedback from an individual regarding a secure web
>>> > form.  I'm not really sure what it is referring to.
>>> >
>>> > Any help?



-|

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20100915/936fc691/attachment-0001.html


More information about the FX.php_List mailing list