|
|
Posted by Sebastian Lisken on 10/13/24 12:00
Christian Welzel <gawain@camlann.de> wrote:
> This is what the debian php5.ini says about use_trans_sid:
>
> ; trans sid support is disabled by default.
> ; Use of trans sid may risk your users security.
> ; Use this option with caution.
> ; - User may send URL contains active session ID
> ; to other person via. email/irc/etc.
> ; - URL that contains active session ID may be stored
> ; in publically accessible computer.
> ; - User may access your site with the same session ID
> ; always using URL stored in browser's history or bookmarks.
> session.use_trans_sid = 0
> So your <a href="script.php?<? echo SID; ?> opens your application
> to exactly the facts mentioned above as it mimics session_trans_sid.
No, my code doesn't make a difference.
Either cookies are enabled: then SID is an empty string and all that
"my" code (it's not mine) adds is the question mark (this is not
pleasing from a cosmetic point of view, but not the issue you mention)
Or cookies are not enabled: then it's *necessary* to use the HTTP
request to pass on the session ID, with all the risks you mention. If
GET parameters are used, this can be done either with "my" code or with
use_trans_sid, they have the same effect. If you say GET parameters
shouldn't be used, what is your alternative?
I *am* aware of the risks of session fixation and stealing. There's
no simple way to avoid them (cookies instead of GET parameters are not
perfect protection and not always available). I wasn't going to go into
that issue at first - hopefully I've made it clear what my specific
question was, but I'm rather confident about the answer to that by
now. So we can discuss attacks on the session (rather than on the
value of SID for XSS purposes) if you want. But please, let's not make
quick judgements based on short remarks in some php.ini file, but read
http://phpsec.org/projects/guide/4.html (which I had before I embarked
on this task) and move the discussion on from there.
Sebastian
Navigation:
[Reply to this message]
|