Kauft das PHP-Sicherheitsbuch!

Dritte Auflage

Jetzt bestellen!

ISBN-13: 978-3898643696
€ 36,00

Links

XING
(Profil nur für Xing-Mitglieder sichtbar)
Ungläsern
Rootserver, Colocation, Hosting
My amazon wishlist
VServer Hosting

Pages

Frontpage
About Christopher Kunz
Kontaktformular

Syndicate This Blog

Monday, November 21. 2005

Strict session handling in PHP

PHP

PHP has a permissive session system. This has been decided way before I came into the PHP world (I guess in preparation of 4.0), and the reasons for this decision are kinda lost in transit. However, with a small patch by Hardened-PHP Project buddy Stefan esser, this might now change.

A small patch against PHP’s ext/session and ext/sqlite adds two new handler functions to validate and create session IDs, as well as the php.ini setting 

session.use_strict_mode = 0/1

although under normal circumstances, a strict session mode handler will not bring extremely more security, it will put an end to session fixation (supplying a session ID and have it validated by PHP), some SQL injection issues (if, for tracking purposes, you store each session ID in a database) and some XSS that might arise from providing a session ID including HTML/JS code.

You can check out the patch at 

http://www.suspekt.org/session_strict_mode.patch

It will also be part of the next release of the Hardening Patch for PHP.


Posted by Christopher Kunz in PHP at 17:16 | Comments (4) | Trackback (1)
Vote for articles fresher than 7 days!
Derzeitige Beurteilung: 0, 0 Stimme(n) 25049 hits
Defined tags for this entry: ,
Related entries by tags:
Implementing an APS socket
PHPShield revisited
Uh, dudes? Check your medication before you interview.
PHPShield, SourceGuardian and Inovica Ltd.
Anti-SEO Spam
Video des XSS-Vortrags auf dem Heisestand während der CeBIT
Heise-c't-Vortrag zu XSS: Slides
Cacti "cmd.php" Command Execution - Hotfix
Suhosin extension in Debian unstable
FUD as a marketing strategy in the PHP world
Bookmark Strict session handling in PHP at del.icio.us Digg Strict session handling in PHP Technorati Strict session handling in PHP wong it! Stumble It!

Trackbacks
Trackback specific URI for this entry

Strict session handling in PHP
Christopher Kunz mentions a new patch for PHP which deals with Session Fixation. PHP has a permissive session system. This has been decided way before I came into the PHP world (I guess in preparation of 4.0), and the reasons...
Weblog: Jacques Marneweck's Blog
Tracked: Nov 24, 23:44

Comments
Display comments as (Linear | Threaded)

Hi Christopher, I don’t think you mean to say that this puts an end to session fixation. If you do, can you elaborate?
#1 Chris Shiflett (Homepage) on 2005-11-21 21:35 (Reply)
One attack avenue is still open, that’s right. You can supply a valid PHP-generated session ID for a user to validate, but you cannot any longer use any arbitrary value.
#1.1 Christopher Kunz (Homepage) on 2005-11-21 23:13 (Reply)
Any idea when we can see this patch in the PHP CVS repository? ;-)
#1.1.1 Jacques Marneweck (Homepage) on 2005-11-24 23:46 (Reply)
That’s what I thought - thanks. :-)
#2 Chris Shiflett (Homepage) on 2005-11-22 00:56 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA