180 likes | 879 Views
Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu. PHP Code Auditing. PHP Session. Session used to track data across page requests Used to end run stateless nature of the web Sessions tracked by an id ID is stored server site based on php.ini specs
E N D
Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu PHP Code Auditing ©2009 Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Session • Session used to track data across page requests • Used to end run stateless nature of the web • Sessions tracked by an id • ID is stored server site based on php.ini specs • ID is stored client side as a cookie or URL parameter
©2009 Justin C. Klein Keane Starting a Session • Initializing a session: • <?php • session_start() • ...
©2009 Justin C. Klein Keane Session Variables Preserved • Session variable values are saved on the server and tied to each session id • Session variables are preserved across page requests • Information like user account data, shopping carts, etc. is typically stored in session
©2009 Justin C. Klein Keane Using Session Variables • $_SESSION is a superglobal variable • http://us3.php.net/manual/en/language.variables.superglobals.php • Variables in the $_SESSION array set and called in the same way as other superglobals • <?php • $_SESSION['user_id'] = $user_id; • echo $_SESSION['user_id']; • ....
©2009 Justin C. Klein Keane Session Collision • Sessions should be named per application • PHPSESSID is shared across a domain, so applications can share sessions • This can lead to single sign or OR • This can lead to unauthenticated access • Example...
©2009 Justin C. Klein Keane Naming a Session • <?php • session_name('myapp'); • session_start(); • Ensures a unique session
©2009 Justin C. Klein Keane Terminating a Session • Tearing down a session • <?php • session_destroy() • .... • Unset any sensitive variables • <?php • unset($var);
©2009 Justin C. Klein Keane Dangers of Session • Session ID's allow the holder to “adopt” the session • Be wary of restricting session to IP • Proxy and other problems • Using multiple cookie values can add “uniqueness” to sessions
©2009 Justin C. Klein Keane Session Leaking • Session ids are stored on the filesystem • Session ids in URLs can be leaked through referer data • Session ids in URLs can also get copied and pasted, and end up in log files • Session ids are also found in cookies
©2009 Justin C. Klein Keane Cookies • Cookies are nothing more than small text files • Cookies can be set by any site if the browser accepts them
©2009 Justin C. Klein Keane Setting Cookies • <?php • setcookie($name, $value, $expire, $path, $domain, $secure, $httponly); • ?> • Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time • There is no native server side tracking of cookie expiry
©2009 Justin C. Klein Keane Cookie Location • Domain and path determine requests for which the cookie will be submitted • Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa
©2009 Justin C. Klein Keane Cookie Security • Setting a cookie to secure indicates that the cookie will only be sent via HTTPS • This means the cookie will only be submitted with HTTPS requests • Be careful – you can set a cookie like this over HTTP!
©2009 Justin C. Klein Keane Cookie Security (cont.) • Setting the cookie to httponly is a VERY good idea in most circumstances • Only available in PHP 5.2 • Limits cookie access via HTTP only, JavaScript cannot access the cookie • This prevents XSS and Cookie theft attacks • Unfortunately the browser must support the behavior
©2009 Justin C. Klein Keane Accessing Cookies • Can be accessed via multiple superglobals: • <?php • echo $_COOKIE['foo']; • printr($_SERVER['HTTP_COOKIE']); • ...
©2009 Justin C. Klein Keane Sessions and Cookies • Session cookies can be configured in php.ini • Some relevant settings include: • session.cookie_secure • session.cookie_httponly • session.referer_check
©2009 Justin C. Klein Keane Session Security • Session fixation • Flaw in application logic that allows a users session id to be set • Especially dangerous when session id's in GET • Attacker can set cookies for another domain • Session predictability