|
|
Posted by Erwin Moller on 10/14/09 12:00
pim@impulzief.nl wrote:
> Dear All,
>
> What I was wondering is how safe it is to store user_id or username or
> anything like that in session. I usualy store a bunch of info in a
> session so I do not need to search the database all the time. However,
> is it easy to change a value after being logged in?
>
> For example:
> - A user logs in
> - Now set is: $_SESSION["user_id"] = 34;
> - If he opens his "Profile page", the websites collects all personal
> information from table users where user_id = 34
>
> But according to this article:
> http://www.governmentsecurity.org/archive/t13901.html
Hi,
I think you didn't read that article right.
I think you refering to this part. Is that right?
<quote>
2. Bypassing Session Cookies
OVERRIDING BASIC SESSION COOKIE AUTHENTICATION
Most of the time session handling is done with the use of cookies. The
cookies tell the webpage who you are and what you have access to and
what you don't have access to. If the page does not handle session
cookies correctly a hacker might be able to change their identity to
that of another user's. Cookies are stored in "window.document.cookie".
With javascript we are able to erase,edit,create cookies for any
website. This task is more complicated than regular types of attacks. I
will not go into great detail about how it's done.
To View the Cookie:
javascript:alert(unescape(document.cookie));
<snipped>
So If You are logged in as "John Doe" in www.ima13370h4x0r.net and
your session cookie reads:
SessionData=a:3:{s:11:"SessionUser";s:5:"75959";s:9:"SessionID";i:70202768;s:9:"LastVisit";i:1078367189;}
The cookie is actually serialized but you should be able to recognize
"75959" as your user_id. Some of the time you will find a website that
stores data (like user_id) in cookies but does not typecast the data.
This is a serious hole in the site's code because any user is able to
change their user_id to any other user or administrator user_id.
Changing the cookie value is easy once you have declared the window.c
function. First change s:5:"75959" to s:x:"ADMINID" where x is the
length of the new value. So if you want to change 75959 to 1. You must
change s:5:"75959" to s:1:"1" :-) Sometimes you will need to change
75959 to "13 or 1=1" in order to bypass any WHERE statements any sql
session queries used to keep you logged in the website.
</quote>
>
> It is easy to change $_SESSION["user_id"] to for example 78.
No, it is NOT easy.
The article describes the cookie, which is NOT the session.
Only idiots store sensitive information into a cookie. So what is
described in the article only works for bad php scripts.
With Firefox for example, you can view/delete/modify each and every
cookie very simple.
PHP uses the cookie ONLY to pass around a string named PHPSESSID.
That string is used by PHP in subsequent requests to identify the user.
The actual information stored in a file on the server, NOT on the client.
So if my php script decides to put this in your session:
$_SESSION["youneverknow"] = 42;
a visitor has no clue it is there, since this information is NEVER send
to the client. Only the PHPSESSID is send.
So to hijack a session, which IS possible but a lot harder, you need to
know the value of PHPSESSID cookie of somebody else.
> So, that means that once you are logged in and change your own
> user_id, you can see personal information from other users.
Yes, in the stupid setup described, that is possible.
Any PHP programmer with any experience won't do it in that way.
Regards,
Erwin Moller
>
>
> Is this really possible? If so, I can imagine I would use a temporary
> table with temporary hashes where user_ids will be stored next to a
> temporary hash. However, this is much more work and database traffic
> which will slow down the system dramatically.
>
> So... Is $_SESSION["user_id"] = 34 safe enough?
>
> Kind regards,
>
>
> Pim Zeekoers
[Back to original message]
|