Solved

copy of phpsessionid

Posted on 2014-03-24
10
124 Views
Last Modified: 2014-03-25
copy of phpsessionid

create a phpsession on one server
echo results

uncomment a line
that hardcode phpsession
and run this in another server to
echo same results
0
Comment
Question by:rgb192
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
Comment Utility
Can you explain what is to be done?
0
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 83 total points
Comment Utility
Working with "phpsession_id" is very specific with server and cookies. More details here, http://in3.php.net/manual/zh/session.idpassing.php
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 83 total points
Comment Utility
You can not transfer 'session_id' from one server to another and get any useful results.  'session_id' is intended to be unique and is also used to identify storage on the system that created the 'session_id'.  That storage and data does not exist on any other server.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Please step back from the technical details and just tell us what you want to do in business terms.  Maybe something like, "I want to share data from one server to another?"  If we understand what you're trying to achieve we may be able to suggest a commonly used design pattern.
0
 

Author Comment

by:rgb192
Comment Utility
custom content management system where user logs in
I had a file that dumped session to text file

I was told that was a security risk because other users could see the text file and imitate session and 'bad user' can pretend to be 'bob'

Is this possible, if so how?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 167 total points
Comment Utility
It may be possible, but if you're using the standard PHP session handler, the risk is very small.  If you're not using the standard PHP session handler, you would want to be able to explain why not.  A correctly configured PHP installation will not expose session data via a URL.

However if you're on a shared server, you may have some (very small) risk from other clients on the same machine.
0
 
LVL 17

Assisted Solution

by:jrm213jrm213
jrm213jrm213 earned 83 total points
Comment Utility
If you have a valid session id for a user, you can forge a cookie and depending on how the server is set up and what it checks, it may just think you are that user because it's server side session data is still valid. It's why you should always "log out" of systems instead of just closing the browser. Although you have to hope that as part of the logout script the site you are on destroys the session...

For example on your own machine if you are logged into a site and you close the browser, then re-open the browser soon thereafter and navigate back to the site, it will still say you are logged in. It "restored" your session based on the cookie and the session was still live on the server.

So it is definitely possible and it really isn't even very hard. Which is why you need to keep things like session id private.
0
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 84 total points
Comment Utility
hello, , you say "I had a file that dumped session to text file", , This may NOT be a security risk, It all depends on what is in the "text file", that was in the session data, that is now in this text file. Obviously if the developer was stupid enough to have a plain-text Password in the session data, and the user name and the user Password (in plain-text) are in the "text file", then a BIG YES, It is a security risk!

as to a session ID in a "text file", this is in your browser cookie anyway, and is not usually considered much of a security risk, , HOWEVER, very knowledgeable coders may be able to take some advantage of it , in a Short Term way. BUT ALL of the phpsessionid are meant to be only ONE TIME use, SO YOU the developer, must avoid placing ANY passwords, security info, phpsessionid and other risks into a "text file".
persistent security data storage is best done into a MySQL update.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 167 total points
Comment Utility
Some of the confusion about how the PHP session works is related to how browsers deal with the cookie jar.  The PHP session uses cookies, and cookies are sent to the browser and returned by the browser, so the contents of the cookie must be considered "tainted."

In this article...
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
... look for The Fine Print
0
 

Author Closing Comment

by:rgb192
Comment Utility
Thanks for session information.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now