|
Posted by Jerry Stuckle on 11/11/19 12:00
Sebastian Lisken wrote:
> Christian Welzel <gawain@camlann.de> wrote:
>> This is what the debian php5.ini says about use_trans_sid:
>>
>> ; trans sid support is disabled by default.
>> ; Use of trans sid may risk your users security.
>> ; Use this option with caution.
>> ; - User may send URL contains active session ID
>> ; to other person via. email/irc/etc.
>> ; - URL that contains active session ID may be stored
>> ; in publically accessible computer.
>> ; - User may access your site with the same session ID
>> ; always using URL stored in browser's history or bookmarks.
>> session.use_trans_sid = 0
>
>> So your <a href="script.php?<? echo SID; ?> opens your application
>> to exactly the facts mentioned above as it mimics session_trans_sid.
>
> No, my code doesn't make a difference.
>
> Either cookies are enabled: then SID is an empty string and all that
> "my" code (it's not mine) adds is the question mark (this is not
> pleasing from a cosmetic point of view, but not the issue you mention)
>
> Or cookies are not enabled: then it's *necessary* to use the HTTP
> request to pass on the session ID, with all the risks you mention. If
> GET parameters are used, this can be done either with "my" code or with
> use_trans_sid, they have the same effect. If you say GET parameters
> shouldn't be used, what is your alternative?
>
And if PHP is configured correctly, it will do this for you. No need to
do it yourself. All of my PHP sites work fine whether cookies are
enabled or disabled.
> I *am* aware of the risks of session fixation and stealing. There's
> no simple way to avoid them (cookies instead of GET parameters are not
> perfect protection and not always available). I wasn't going to go into
> that issue at first - hopefully I've made it clear what my specific
> question was, but I'm rather confident about the answer to that by
> now. So we can discuss attacks on the session (rather than on the
> value of SID for XSS purposes) if you want. But please, let's not make
> quick judgements based on short remarks in some php.ini file, but read
> http://phpsec.org/projects/guide/4.html (which I had before I embarked
> on this task) and move the discussion on from there.
>
> Sebastian
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|