Hi,

I found have a script which I am working with that shows the SessId in the address bar and if the user doesnt log out (hence destroying the session) this session can be reopened and the "secure" page accessed. This is probably due to the session not being destroyed.

Is it possible for someone malicious to find what the variables that make up the Session ID are and then generate their own to get access to other users' areas that are deemed to be "secure"?

TIA

yes and no.......the string is difficult to match but it is possible to "massage" the session header info and gain access to an area not intended for you. The bigger worry is mismanaged session state wherein if the session isn't forced to close after a set amount of idle time and the client doesnt close the session properly, another person can simply hop on the machine and access the users data. You definately want to configure the web server to manage active and inactive http/https sessions while at the same time your code enforces session state in a reasonable manner.

How? I want to test out my code to see if it is exploitable... Any HOWTO's

Well what is of more importance is for instance in a virtual hosting envorinment - like at most ISP's PHP is set up with default values. EVERYBODY can list the directory which is being used for sessions - this is mostly /tmp/php. So you could just list that and give it a try.

Well honestly I have recently coded some class for secure login. It uses md5 hashes to ensure it's correctness of the data:

• ip
• username
• expire (max idle time verification)
• hashes to ensure the above are valid

This should work ... you can call that paranoid but it definately is more secure than relying on something other. Maybe I'll give you some code excerpts...

cyph3r7 said that it was possible to massage the $_SESSION variables to get a correct hash. Is this correct?

I am trying to put myself in the position of a potential cracker... He managed to get hold of 1 Session ID but doesnt have SSH/Telnet access, so he cant get to the /tmp directory and doesnt want to hack just the account he got the Session ID for but wants to generate more... Any Ideas?

Well when you have carefully implemented my suggestions above one invalid hash will force the user to login again and erase the session data. I forgot to mention that in my particular protection there is also a secret hash which in combination with the other 2 hashes is my VERIFICATION hash.

If one of the hashes is invalid => login form.

i noticed that after trying to check my PHP scripts on w3c.org i saw that the checking script got the raw script remotely! How does it do this. I am guessing it would be possible for a cracker to extract the contents of my PHP script and find the $_SESSION[""] values! I have not come across anything like this before. Its kind of worrying as this would enable anyone to just leech your carefully crafted PHP site :s

Well if it can get your raw script your webserver is misconfigured. However you can always encrypt your scripts using turk mmcache.

How can I stop fix this mis-configuration then?

Please refer to the documentation on howto enable PHP for Apache 1/Apache 2. It contains everything required.

What you could do to even more secure the area around the secret hash would be setting up a hash table in the database and filling it with let's say 1000 values of different hashes; expand the script to submit the hash_id also and use the hash on a random base ... this will ensure maximum security (but will also be slower since the hash is also validated each time since it can't be known to be valid)

cool thanks for the help guys!