[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Leo R. Lundgren leo at finalresort.org
Sun Sep 19 12:05:26 MDT 2010 

This is flawed in a number of ways. It's better to force HTTPS in the web server configuration.


19 sep 2010 kl. 19.56 skrev Gjermund Gusland Thorsen:

> For http://site.com
> 
> you but only index.php
> ---
> <?php
> header( "Location: https://site.com" );
> ?>
> ---
> 
> For https://site.com you put your entire site.
> 
> ggt
> 
> 2010/9/15 Leo R. Lundgren <leo at finalresort.org>:
>> 
>> 15 sep 2010 kl. 19.30 skrev Jonathan Schwartz:
>> 
>> I think that that is it. If someone were to edit the URL and drop the "S",
>> the system would still work.
>> Is that a realistic security risk...planning for an end user editing the URL
>> and compromising their own session? Or, is there more to it than that?
>> 
>> I'd be more worried that someone else compromise the users session, than the
>> user himself. Whether this is likely or not depends on the level of threat
>> that the client is facing. A company with some important (and known)
>> information is more likely to experience directed attacks than an anonymous
>> company, for example.
>> In any case, building systems that are secure to some basic level is IMO the
>> given choice. Why build an insecure system when there isn't that much work
>> to take care of the basic types of vulnerabilities.
>> 
>> You could also set up the host in the web server configuration so that it
>> forces HTTPS. That way its centrally maintained (instead of in a bunch of
>> PHP files) and there's not much risk that you forget about it in a specific
>> page.
>> 
>> 15 sep 2010 kl. 18.50 skrev Gareth Evans:
>> 
>> I'd hazard a guess that he means if you drop the S from the HTTPS the
>> session is retained, ie. User enters the form via https, php session is
>> initialized, user can drop the S and still fill out the form "unsecured".
>> 
>> If the form is supposed to be only used over https you should add a check
>> for that at the top of the page if you haven't already. Something like the
>> following should do the trick.
>> 
>> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>>    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
>> }
>> --
>> GARETH EVANS
>> 
>> 
>>> From: Jonathan Schwartz <jschwartz at exit445.com>
>>> Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>>> Date: Wed, 15 Sep 2010 09:18:05 -0700
>>> To: <fx.php_list at mail.iviking.org>
>>> Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS
>>> connections
>>> 
>>> Hi Folks,
>>> 
>>> Putting our security hat on now....
>>> 
>>> "PHP Session ID isn't restricted to HTTPS connections"
>>> 
>>> I received this feedback from an individual regarding a secure web
>>> form.  I'm not really sure what it is referring to.
>>> 
>>> Any help?
>> 
>> 
>> -|
>> 
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>> 
>> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



-|

More information about the FX.php_List mailing list