[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Gjermund Gusland Thorsen ggt667 at gmail.com
Tue Sep 21 12:15:08 MDT 2010


For all domains? How would you do that pr domain?

2010/9/19 Leo R. Lundgren <leo at finalresort.org>:
> This is flawed in a number of ways. It's better to force HTTPS in the web server configuration.
>
>
> 19 sep 2010 kl. 19.56 skrev Gjermund Gusland Thorsen:
>
>> For http://site.com
>>
>> you but only index.php
>> ---
>> <?php
>> header( "Location: https://site.com" );
>> ?>
>> ---
>>
>> For https://site.com you put your entire site.
>>
>> ggt
>>
>> 2010/9/15 Leo R. Lundgren <leo at finalresort.org>:
>>>
>>> 15 sep 2010 kl. 19.30 skrev Jonathan Schwartz:
>>>
>>> I think that that is it. If someone were to edit the URL and drop the "S",
>>> the system would still work.
>>> Is that a realistic security risk...planning for an end user editing the URL
>>> and compromising their own session? Or, is there more to it than that?
>>>
>>> I'd be more worried that someone else compromise the users session, than the
>>> user himself. Whether this is likely or not depends on the level of threat
>>> that the client is facing. A company with some important (and known)
>>> information is more likely to experience directed attacks than an anonymous
>>> company, for example.
>>> In any case, building systems that are secure to some basic level is IMO the
>>> given choice. Why build an insecure system when there isn't that much work
>>> to take care of the basic types of vulnerabilities.
>>>
>>> You could also set up the host in the web server configuration so that it
>>> forces HTTPS. That way its centrally maintained (instead of in a bunch of
>>> PHP files) and there's not much risk that you forget about it in a specific
>>> page.
>>>
>>> 15 sep 2010 kl. 18.50 skrev Gareth Evans:
>>>
>>> I'd hazard a guess that he means if you drop the S from the HTTPS the
>>> session is retained, ie. User enters the form via https, php session is
>>> initialized, user can drop the S and still fill out the form "unsecured".
>>>
>>> If the form is supposed to be only used over https you should add a check
>>> for that at the top of the page if you haven't already. Something like the
>>> following should do the trick.
>>>
>>> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>>>    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
>>> }
>>> --
>>> GARETH EVANS
>>>
>>>
>>>> From: Jonathan Schwartz <jschwartz at exit445.com>
>>>> Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>>>> Date: Wed, 15 Sep 2010 09:18:05 -0700
>>>> To: <fx.php_list at mail.iviking.org>
>>>> Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS
>>>> connections
>>>>
>>>> Hi Folks,
>>>>
>>>> Putting our security hat on now....
>>>>
>>>> "PHP Session ID isn't restricted to HTTPS connections"
>>>>
>>>> I received this feedback from an individual regarding a secure web
>>>> form.  I'm not really sure what it is referring to.
>>>>
>>>> Any help?
>>>
>>>
>>> -|
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
> -|
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>


More information about the FX.php_List mailing list