160 likes | 235 Views
Implementing Session Support. COEN 351. State Maintenance. Client Side Mechanisms Cookies Client needs to allow cookies Cookie handling done by browser Hidden Fields in Forms Each page has to be rebuild to contain correct form Fat URL Each page has to be rebuild with correct links
E N D
Implementing Session Support COEN 351
State Maintenance • Client Side Mechanisms • Cookies • Client needs to allow cookies • Cookie handling done by browser • Hidden Fields in Forms • Each page has to be rebuild to contain correct form • Fat URL • Each page has to be rebuild with correct links • Server Side Mechanisms • Files • Database • Web server • Long running process that can crash • Needs to use a client side mechanism • Security Implication: • CLIENT CAN CHANGE ALL INFORMATION
Server Side Support • Apache:Session • Perl module failed test for windows • CGI:Session • Homemade Session Support • Use to investigate security issues
Using a session database mysql> create database session; mysql> use session; mysql> create table sessionid ( -> id MEDIUMINT NOT NULL AUTO_INCREMENT, -> name CHAR(30) NOT NULL, -> PRIMARY KEY (id) -> );
Using a session database mysql> show tables; +-------------------+ | Tables_in_session | +-------------------+ | sessionid | +-------------------+ 1 row in set (0.00 sec) mysql> INSERT INTO sessionid (name) VALUES ('thomas'); Query OK, 1 row affected (0.10 sec) mysql> INSERT INTO sessionid (name) VALUES ('bob'),('jim'); Query OK, 2 rows affected (0.04 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> SELECT * FROM sessionid ORDER BY id; +----+--------+ | id | name | +----+--------+ | 1 | thomas | | 2 | bob | | 3 | jim | +----+--------+ 3 rows in set (0.00 sec)
Creating a Password Database mysql> create table user ( -> name VARCHAR(8), -> password VARCHAR(8), -> primary key (name) -> ); Query OK, 0 rows affected (0.16 sec) mysql> INSERT INTO user -> VALUES ('JoeDoe','12345'), ('JaneDoe','12345') -> ; Query OK, 2 rows affected (0.09 sec) Records: 2 Duplicates: 0 Warnings: 0
Sample Application • Login Page • Typically form that is self-referring • When user info is submitted, page acts differently • Acceptance page that creates a session • Stores session id in cookie
Login Page #!/perl/bin/perl.exe use strict; use CGI qw/:standard/; use MIME::Base64::URLSafe; #I had problems with this module under build 819 my $q = new CGI; print $q->header(-type => "text/html"); print $q->start_html("Santa Claus University Login Page"); print $q->h1("Welcome to Santa Claus University"); print $q->start_form( -action => "session1.cgi", -method => 'GET'), $q->p("Please enter your account"), $q->textfield (-name => "name"), $q->p("Please enter your password"), $q->textfield (-name => "pwd"), $q->p(" "), $q->submit (-name => 'choice', -value => "Submit" ), $q->end_form(); print $q->end_html; More normal: -action => url()
Login Page <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <title>Santa Claus University Login Page</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body> <h1>Welcome to Santa Claus University</h1><form method="get" action="session1.cgi" enctype="multipart/form-data"> <p>Please enter your account</p><input type="text" name="name" value="thomas" /><p>Please enter your password</p><input type="text" name="pwd" value="hallo" /><p> </p><input type="submit" name="choice" value="Submit" /></form> </body> </html> Notice that there is currently no protection for the data to be transmitted.
Creating a Session • Use MySQL database with autoincrement feature: mysql> describe sessionid; +-------+--------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------+--------------+------+-----+---------+----------------+ | id | mediumint(9) | NO | PRI | NULL | auto_increment | | name | char(30) | NO | | | | +-------+--------------+------+-----+---------+----------------+ 2 rows in set (0.15 sec)
Creating a Session #!/perl/bin/perl.exe use strict; use DBI; use CGI qw/:standard :html3/; use CGI::Carp qw/ fatalsToBrowser/; #for debugging only use MIME::Base64::URLSafe; #I had problems with this module under build 819 my $q = new CGI; #Get information from GET data: my $username = param('name'); my $pwd = param('pwd');
Creating a Session my $dbh = DBI->connect ("DBI:mysql:host=localhost;database=session", "root", "none",{PrintError => 0, RaiseError => 1} ); my $sth = $dbh->prepare("SELECT * FROM user WHERE name = '$username' and password = '$pwd' "); $sth->execute(); my $ref = $sth->fetchrow_hashref (); $sth->finish(); if (!defined($ref)) { print "Location: http://192.168.0.13/cgi-bin/session.cgi\n\n" } else { code on next page } Possibility of SQL injection attack! Would it be better to check results?
Creating a Session else { #create entry in sessionid, get session ID, and clean up table $dbh->do ("INSERT INTO sessionID (id,name) VALUES(NULL,'$username')" ); my $ref = $dbh->selectcol_arrayref("SELECT LAST_INSERT_ID()"); my $sessionid = @{$ref}[0]; $dbh->do("DELETE LOW_PRIORITY FROM sessionid WHERE id < '$sessionid' and name = '$username'"); mysql> select * from sessionid; +----+---------+ | id | name | +----+---------+ | 41 | JoeDoe | | 42 | JaneDoe | +----+---------+ 2 rows in set (0.05 sec) Clean up session table Is this code vulnerable to a race condition?
Creating a Session else { … my $cookievalue1 = urlsafe_b64encode($sessionid); my $cookievalue2 = urlsafe_b64encode($username); my $cookie1 = $q->cookie ( -name => 'sessionID', -value => $cookievalue1, -expires => "+1d" ); my $cookie2 = $q->cookie ( -name => 'account', -value => $cookievalue2, -expires => "+1d" ); print $q->header(-type => "text/html", -cookie => [$cookie1,$cookie2]); print $q->start_html("Santa Claus University Login Page"); print $q->h1("Welcome to Santa Claus University"); print $q->start_form( -action => "session2.cgi", -method => 'GET'), $q->hidden($cookievalue1), $q->submit (-name => 'Continue', -value => "Submit" ), $q->end_form(); print $q->end_html; } Cookie values are not protected!
Maintaining Session Data use strict; use DBI; use CGI qw/:standard :html3/; use CGI::Carp qw/ fatalsToBrowser/; use MIME::Base64::URLSafe; my $q = new CGI; print $q->header(-type => "text/html"); print $q->start_html("Santa Claus University Login Page"), $q->h1("Welcome to Santa Claus University"), $q->p("We offer degrees for money."); foreach my $name ($q->cookie()) { my $value = urlsafe_b64decode($q->cookie($name)); print $q->p("$value"); } print $q->end_html; No authentication of cookie values.
Security Problems • We need to use cookies / fat URLs to refer to the current session name. • This information needs to be protected • against alteration • against substitution