Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane"— Presentation transcript:

1 ©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane jukeane@sas.upenn.edu

2 ©2009 Justin C. Klein Keane PHP Session Session used to track data across page requests Used to end run stateless nature of the web Sessions tracked by an id ID is stored server site based on php.ini specs ID is stored client side as a cookie or URL parameter

3 ©2009 Justin C. Klein Keane Starting a Session Initializing a session: <?php session_start()‏...

4 ©2009 Justin C. Klein Keane Session Variables Preserved Session variable values are saved on the server and tied to each session id Session variables are preserved across page requests Information like user account data, shopping carts, etc. is typically stored in session

5 ©2009 Justin C. Klein Keane Using Session Variables $_SESSION is a superglobal variable http://us3.php.net/manual/en/language.variables.superglobals.php Variables in the $_SESSION array set and called in the same way as other superglobals <?php $_SESSION['user_id'] = $user_id; echo $_SESSION['user_id'];....

6 ©2009 Justin C. Klein Keane Session Collision Sessions should be named per application PHPSESSID is shared across a domain, so applications can share sessions This can lead to single sign or OR This can lead to unauthenticated access Example...

7 ©2009 Justin C. Klein Keane Naming a Session <?php session_name('myapp'); session_start(); Ensures a unique session

8 ©2009 Justin C. Klein Keane Terminating a Session Tearing down a session <?php session_destroy()‏.... Unset any sensitive variables <?php unset($var);

9 ©2009 Justin C. Klein Keane Dangers of Session Session ID's allow the holder to “adopt” the session Be wary of restricting session to IP Proxy and other problems Using multiple cookie values can add “uniqueness” to sessions

10 ©2009 Justin C. Klein Keane Session Leaking Session ids are stored on the filesystem Session ids in URLs can be leaked through referer data Session ids in URLs can also get copied and pasted, and end up in log files Session ids are also found in cookies

11 ©2009 Justin C. Klein Keane Cookies Cookies are nothing more than small text files Cookies can be set by any site if the browser accepts them

12 ©2009 Justin C. Klein Keane Setting Cookies <?php setcookie($name, $value, $expire, $path, $domain, $secure, $httponly); ?> Note that expiry is actually controlled by the browser, which may or may not actually stop using the cookie at the set time There is no native server side tracking of cookie expiry

13 ©2009 Justin C. Klein Keane Cookie Location Domain and path determine requests for which the cookie will be submitted Cookies set to an HTTP domain will not be sent to an HTTPS domain, and vice versa

14 ©2009 Justin C. Klein Keane Cookie Security Setting a cookie to secure indicates that the cookie will only be sent via HTTPS This means the cookie will only be submitted with HTTPS requests Be careful – you can set a cookie like this over HTTP!

15 ©2009 Justin C. Klein Keane Cookie Security (cont.)‏ Setting the cookie to httponly is a VERY good idea in most circumstances Only available in PHP 5.2 Limits cookie access via HTTP only, JavaScript cannot access the cookie This prevents XSS and Cookie theft attacks Unfortunately the browser must support the behavior

16 ©2009 Justin C. Klein Keane Accessing Cookies Can be accessed via multiple superglobals: <?php echo $_COOKIE['foo']; printr($_SERVER['HTTP_COOKIE']);...

17 ©2009 Justin C. Klein Keane Sessions and Cookies Session cookies can be configured in php.ini Some relevant settings include: session.cookie_secure session.cookie_httponly session.referer_check

18 ©2009 Justin C. Klein Keane Session Security Session fixation Flaw in application logic that allows a users session id to be set Especially dangerous when session id's in GET Attacker can set cookies for another domain Session predictability

Download ppt "©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Chapter 10 Managing State Information Using Sessions.

Chapter 10 Managing State Information Using Sessions.
Site and Page Checklists Consistency? What’s that?!

Site and Page Checklists Consistency? What’s that?!
Chapter 10 Managing State Information PHP Programming with MySQL.

Chapter 10 Managing State Information PHP Programming with MySQL.
Using Session Control in PHP tMyn1 Using Session Control in PHP HTTP is a stateless protocol, which means that the protocol has no built-in way of maintaining.

Using Session Control in PHP tMyn1 Using Session Control in PHP HTTP is a stateless protocol, which means that the protocol has no built-in way of maintaining.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie(name, value, expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.

CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
Chapter 10 Maintaining State Information Using Cookies.

Chapter 10 Maintaining State Information Using Cookies.
Objectives Learn about state information

Objectives Learn about state information
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Chapter 12 Cookies and Sessions Part 2. Setting Cookie Parameters setcookie(name, value, expiration, path, host, secure, httponly) epoch – midnight on.

Chapter 12 Cookies and Sessions Part 2. Setting Cookie Parameters setcookie(name, value, expiration, path, host, secure, httponly) epoch – midnight on.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
JavaScript, Fourth Edition

JavaScript, Fourth Edition

Similar presentations

Ads by Google