Implementing Session Support COEN 351

State Maintenance Client Side Mechanisms  Cookies Client needs to allow cookies Cookie handling done by browser  Hidden Fields in Forms Each page has to be rebuild to contain correct form  Fat URL Each page has to be rebuild with correct links Server Side Mechanisms Files Database Web server  Long running process that can crash  Needs to use a client side mechanism Security Implication:  CLIENT CAN CHANGE ALL INFORMATION

Server Side Support Apache:Session  Perl module failed test for windows CGI:Session Homemade Session Support  Use to investigate security issues

Using a session database mysql> create database session; mysql> use session; mysql> create table sessionid ( -> id MEDIUMINT NOT NULL AUTO_INCREMENT, -> name CHAR(30) NOT NULL, -> PRIMARY KEY (id) -> );

Using a session database mysql> show tables; | Tables_in_session | | sessionid | row in set (0.00 sec) mysql> INSERT INTO sessionid (name) VALUES ('thomas'); Query OK, 1 row affected (0.10 sec) mysql> INSERT INTO sessionid (name) VALUES ('bob'),('jim'); Query OK, 2 rows affected (0.04 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> SELECT * FROM sessionid ORDER BY id; | id | name | | 1 | thomas | | 2 | bob | | 3 | jim | rows in set (0.00 sec)

Creating a Password Database mysql> create table user ( -> name VARCHAR(8), -> password VARCHAR(8), -> primary key (name) -> ); Query OK, 0 rows affected (0.16 sec) mysql> INSERT INTO user -> VALUES ('JoeDoe','12345'), ('JaneDoe','12345') -> ; Query OK, 2 rows affected (0.09 sec) Records: 2 Duplicates: 0 Warnings: 0

Sample Application Login Page  Typically form that is self-referring When user info is submitted, page acts differently Acceptance page that creates a session  Stores session id in cookie

Login Page #!/perl/bin/perl.exe use strict; use CGI qw/:standard/; use MIME::Base64::URLSafe; #I had problems with this module under build 819 my $q = new CGI; print $q->header(-type => "text/html"); print $q->start_html("Santa Claus University Login Page"); print $q->h1("Welcome to Santa Claus University"); print $q->start_form( -action => "session1.cgi", -method => 'GET'), $q->p("Please enter your account"), $q->textfield (-name => "name"), $q->p("Please enter your password"), $q->textfield (-name => "pwd"), $q->p(" "), $q->submit (-name => 'choice', -value => "Submit" ), $q->end_form(); print $q->end_html; More normal: -action => url()

Login Page <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " Santa Claus University Login Page Welcome to Santa Claus University Please enter your account Please enter your password Notice that there is currently no protection for the data to be transmitted.

Creating a Session Use MySQL database with autoincrement feature: mysql> describe sessionid; | Field | Type | Null | Key | Default | Extra | | id | mediumint(9) | NO | PRI | NULL | auto_increment | | name | char(30) | NO | | | | rows in set (0.15 sec)

Creating a Session #!/perl/bin/perl.exe use strict; use DBI; use CGI qw/:standard :html3/; use CGI::Carp qw/ fatalsToBrowser/; #for debugging only use MIME::Base64::URLSafe; #I had problems with this module under build 819 my $q = new CGI; #Get information from GET data: my $username = param('name'); my $pwd = param('pwd');

Creating a Session my $dbh = DBI->connect ("DBI:mysql:host=localhost;database=session", "root", "none",{PrintError => 0, RaiseError => 1} ); my $sth = $dbh->prepare("SELECT * FROM user WHERE name = '$username' and password = '$pwd' "); $sth->execute(); my $ref = $sth->fetchrow_hashref (); $sth->finish(); if (!defined($ref)){ print "Location: bin/session.cgi\n\n" } else{ code on next page } Possibility of SQL injection attack! Would it be better to check results?

Creating a Session else{ #create entry in sessionid, get session ID, and clean up table $dbh->do ("INSERT INTO sessionID (id,name) VALUES(NULL,'$username')" ); my $ref = $dbh->selectcol_arrayref("SELECT LAST_INSERT_ID()"); my $sessionid $dbh->do("DELETE LOW_PRIORITY FROM sessionid WHERE id < '$sessionid' and name = '$username'"); Clean up session table mysql> select * from sessionid; | id | name | | 41 | JoeDoe | | 42 | JaneDoe | rows in set (0.05 sec) Is this code vulnerable to a race condition?

Creating a Session else{ … my $cookievalue1 = urlsafe_b64encode($sessionid); my $cookievalue2 = urlsafe_b64encode($username); my $cookie1 = $q->cookie ( -name => 'sessionID', -value => $cookievalue1, -expires => "+1d" ); my $cookie2 = $q->cookie ( -name => 'account', -value => $cookievalue2, -expires => "+1d" ); print $q->header(-type => "text/html", -cookie => [$cookie1,$cookie2]); print $q->start_html("Santa Claus University Login Page"); print $q->h1("Welcome to Santa Claus University"); print $q->start_form( -action => "session2.cgi", -method => 'GET'), $q->hidden($cookievalue1), $q->submit (-name => 'Continue', -value => "Submit" ), $q->end_form(); print $q->end_html; } Cookie values are not protected!

Maintaining Session Data use strict; use DBI; use CGI qw/:standard :html3/; use CGI::Carp qw/ fatalsToBrowser/; use MIME::Base64::URLSafe; my $q = new CGI; print $q->header(-type => "text/html"); print $q->start_html("Santa Claus University Login Page"), $q->h1("Welcome to Santa Claus University"), $q->p("We offer degrees for money."); foreach my $name ($q->cookie()){ my $value = urlsafe_b64decode($q->cookie($name)); print $q->p("$value"); } print $q->end_html; No authentication of cookie values.

Security Problems We need to use cookies / fat URLs to refer to the current session name.  This information needs to be protected against alteration against substitution