Solved

copy of phpsessionid

Posted on 2014-03-24
10
129 Views
Last Modified: 2014-03-25
copy of phpsessionid

create a phpsession on one server
echo results

uncomment a line
that hardcode phpsession
and run this in another server to
echo same results
0
Comment
Question by:rgb192
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 39952337
Can you explain what is to be done?
0
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 83 total points
ID: 39952376
Working with "phpsession_id" is very specific with server and cookies. More details here, http://in3.php.net/manual/zh/session.idpassing.php
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 83 total points
ID: 39952495
You can not transfer 'session_id' from one server to another and get any useful results.  'session_id' is intended to be unique and is also used to identify storage on the system that created the 'session_id'.  That storage and data does not exist on any other server.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39953015
Please step back from the technical details and just tell us what you want to do in business terms.  Maybe something like, "I want to share data from one server to another?"  If we understand what you're trying to achieve we may be able to suggest a commonly used design pattern.
0
 

Author Comment

by:rgb192
ID: 39953901
custom content management system where user logs in
I had a file that dumped session to text file

I was told that was a security risk because other users could see the text file and imitate session and 'bad user' can pretend to be 'bob'

Is this possible, if so how?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 167 total points
ID: 39954234
It may be possible, but if you're using the standard PHP session handler, the risk is very small.  If you're not using the standard PHP session handler, you would want to be able to explain why not.  A correctly configured PHP installation will not expose session data via a URL.

However if you're on a shared server, you may have some (very small) risk from other clients on the same machine.
0
 
LVL 17

Assisted Solution

by:jrm213jrm213
jrm213jrm213 earned 83 total points
ID: 39954345
If you have a valid session id for a user, you can forge a cookie and depending on how the server is set up and what it checks, it may just think you are that user because it's server side session data is still valid. It's why you should always "log out" of systems instead of just closing the browser. Although you have to hope that as part of the logout script the site you are on destroys the session...

For example on your own machine if you are logged into a site and you close the browser, then re-open the browser soon thereafter and navigate back to the site, it will still say you are logged in. It "restored" your session based on the cookie and the session was still live on the server.

So it is definitely possible and it really isn't even very hard. Which is why you need to keep things like session id private.
0
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 84 total points
ID: 39954363
hello, , you say "I had a file that dumped session to text file", , This may NOT be a security risk, It all depends on what is in the "text file", that was in the session data, that is now in this text file. Obviously if the developer was stupid enough to have a plain-text Password in the session data, and the user name and the user Password (in plain-text) are in the "text file", then a BIG YES, It is a security risk!

as to a session ID in a "text file", this is in your browser cookie anyway, and is not usually considered much of a security risk, , HOWEVER, very knowledgeable coders may be able to take some advantage of it , in a Short Term way. BUT ALL of the phpsessionid are meant to be only ONE TIME use, SO YOU the developer, must avoid placing ANY passwords, security info, phpsessionid and other risks into a "text file".
persistent security data storage is best done into a MySQL update.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 167 total points
ID: 39954460
Some of the confusion about how the PHP session works is related to how browsers deal with the cookie jar.  The PHP session uses cookies, and cookies are sent to the browser and returned by the browser, so the contents of the cookie must be considered "tainted."

In this article...
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
... look for The Fine Print
0
 

Author Closing Comment

by:rgb192
ID: 39954953
Thanks for session information.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now