Can someone explain me how session fixation really works? On my localhost server I uploaded file with this code:
<?php
session_start();
if (!isset($_SESSION['count'])) $_SESSION['count'] = 0;
else ++$_SESSION['count'];
echo $_SESSION['count'];
?>
I set in my browser address: http://localhost/sessiontest.php?PHPSESSID=1234
It will begin just with 0 writen, after few times pressed refresh button it will go to 1,2,3,4,...In book and on internet topic I read before, there'written that if I use this adress in browser in different browser or in diferent PC, it will show the number mz first browser ended with. However when I typed this address to second PC, it was begining from 0.
Is it somehow secured in higher version of Apache and PHP or did I totally misunderstood the topic? Thanks for help!
I think you may have misunderstood. PHP uses PHPSESSID to store the ID of a session. Normally this value is stored in a cookie, but it can also be stored in the url if cookies are disabled.
If you read the value of the url (or the cookie) on one browser, you can use that value in the url in another browser to effectively take over that session. That is because PHP doesn't track any information, but just uses that session id to identify a session.
I guess in your case, cookies are enabled as well, so PHP uses the stored cookie rather than the URL value. You can try to delete the cookie first, disables cookies altogether and use this url, or you can change the value of the cookie.
Related
CLIENT:
start_session() creates a cookie (by default): Name: PHPSESSID; Content: 1q2w3e4r5t; Domain: '/'; Expires:...
SERVER:
It also creates a file stored in (my case): /var/lib/php/sessions. Call that in there: sess_1q2w3e4r5t. (Absolute path: /var/lib/php/sessions/sess_1q2w3e4r5t)
So we have two physical things that are bonded to the session I just created.
What is the point of having both?
Can I just store my session in /var/lib/php/sessions regardless of use_only_cookies option?
I have a classic example with a $_SESSION['counter'] variable. Meaning that, every time I reload the example.php page, the $_SESSION['counter'] increments (++) by one. So, on the loop of pressing the F5 button, lets say I got 55 as the value of $_SESSION['counter']. Finally I its that cookie but not the /var/lib... file. After that deletion I get a 56 and the loop continues as normal. This just intrigued me and got me with the question. Are session cookies necessary?
Is still possible a way in which my site just stores session only in the server and not using cookies?
This is how I deleted the cookie. notice counter value is 69.
Then F5:
The cookie is there so that the client can tell the server which session file is theirs. The cookie value corresponds to the file that's created on the server.
Without it, the server will just create a new session file for the client, and obviously none of the data from the previous request will be there.
I can only imagine that you are not deleting the cookie properly.
A visitor accessing your web site is assigned a unique id, the
so-called session id. This is either stored in a cookie on the user
side or is propagated in the URL.
The point of having both session and cookie is the quote above
In short: without cookies, the client would become a strange visitor
I've seen various questions like mine, though none provide the correct answer.
I've a PHP script:
session_start();
setcookie(session_name('DSWLogin'),session_id(),time()+2*7*24*60*60, '/');
//This will only be set once (when the user logs in)
$_SESSION['test'] = 'Yup, I am working';
if (isset($_SESSION['test'])){
echo 'Session is set and ready!';
} else {
echo 'No session was set...';
}
and that all works fine except after a browser restart, my PHP script ignores the session.
When my browser hasn't restarted yet, it'll echo 'Session is set and ready!'; just fine.
And when I look into my cookie tab, it indeed says a cookie, named DSWLogin has been set with a certain value.
When I restart my browser, my cookie tab still says that a cookie, named DSWLogin has been set with the same value it had before the restart, so it is still there!
But my PHP script apparently ignores is, and outputs 'No session was set...'...
Thanks in advance,
Isaiah v. Hunen
What you are trying to do is not really the correct way to achieve this. Sessions have two parts, a cookie with a session id set by default to expire at the end of the session (usually browser close) and a server side storage mechanism that is cleaned up automatically after a certain period of time after the last request was received.
What you are trying to do is extend the session to two weeks. While you could change the cookie settings and increase the timeout to session garbage collection doing this is not very reliable.
Instead you want to look at using a one time key stored in a cookie which acts as an alternate login path. This cookie can recreate the session just like a normal login would. There are some details that need to be considered for this to remain secure, but it will do what you are attempting to achieve.
Just because you are setting your session_id in some cookie doesn't mean it is THE session cookie. Most browsers will purge session cookies on browser close. This is what you are seeing. Look at the cookies in your browser that are set when your session is valid and compare this to the cookies that are still remaining after browser restart. You will notice your true session cookie has gone missing.
Quoting the manual:
The session name is reset to the default value stored in session.name
at request startup time. Thus, you need to call session_name() for
every request (and before session_start() or session_register() are
called).
Also if you want to change lifetime of session cookie, use session_set_cookie_params instead of forcing your own cookie.
Also read about session garbage collection and configuration, changing cookie lifetime might not be enough.
Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.
The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?
I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7
Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";
They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.
Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.
They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!
I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.
This is how it looks:
index.php
<p>This is where I start and set php sessions.</p>
<?php
session_start();
$_SESSION['test1'] = "SessionTest1";
$_SESSION['test2'] = "SessionTest2";
?>
<p>This is a link, that starts new HTTP Request, and tries to read session set on this page:</p>
<p>Read Session</p>
session.php
<?php
session_start();
var_export($_SESSION);
?>
<p>Back</p>
Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.
But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?
So basically my question is, am I right?
Can you use PHP sessions if you disable cookies in your browser?
And do PHP Session mechanism by default, depends on setting a session COOKIE?
Update:
I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S
So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no...
At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?
Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...
Thanks for all the comments!
"A visitor accessing your web site is assigned a unique id, the
so-called session id. This is either stored in a cookie on the user
side or is propagated in the URL. "
Sessions: Introduction
If session.use_cookies = 1 (Cookie enabled.)
If session.use_cookies = 0 (Cookie disabled.)
If session.use_cookies = 1 then session stores the sessionId into cookie. Calling session_id() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.
Yes session will work when cookies is disabled.
But first apache check php configuration settings.
Like:
--enable-trans-sid
and
--enable-track-vars
if these value are set true the session will passed by POST automatically.
If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.
< a href="index.php?<?= SID ?>" >Navigate from here< /a >
Need to set php.ini
ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);
So basically my question is, am I right?
Mostly. In the real world: YES.
Can you use PHP sessions if you disable cookies in your browser?
You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value (and this value is passed to the PHP session layer):
session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.
Or - and here we're not in Kansas anymore:
passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:guest#www.example.com ) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
other ways ( see http://en.wikipedia.org/wiki/Evercookie )
(1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.
You are right, Session cannot work without cookies.
To illustrate this try doing the following actions.
Login To Gmail.
After login disabled the cookies.
Refresh the page.
You will be redirected to the login page again as the server cannot identify the session.
Now again enable the cookies.
Refresh the page. (Note: Don't click on login button).
You will be automatically redirected to the Gmail inbox.
Hence, we can say without cookies session will not work.
Also, If you are trying to login into the gmail( taking as example you can take any website) with diabled cookies then it will message as "Your browser has cookies disabled. Make sure your cookies are enabled and try again."
If it was me, I would say "Yes"
Since you could store session in form / url somewhere to passed to next page (very bad idea). So, based on his question "can PHP session be set and read, used, if Cookies are disabled in users Browser?"
Then, it should be yes. It can read and used.
However, If user close browser, then it's gone, and that's it. (since that guy didn't ask about this part)
Yes.. It will Work
1.PHP will pass one GET parameter in URL with the name PHPSESSID but it can be changed session.name in php.ini file.
2. It add one hidden input in forms with same name.
You will need to put the session ID in the URL. You will need to make a change in your php.ini file so if you are on a shared host you will need to contact them to see what they will do for you.
// tell the PHP we want to use cookies from the session
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies', '0');
ini_set('session.use_trans_sid','1');
session_start();
// then pass the session ID in the URL(inspect, navigate the network refresh the page you will see in the headers your session ID)
I'm playing around with cookies. And I dont have any cookies called PHPSESSID.
Do i need it? Can i remove it?
Whats the "function" of it?
if (count($_POST)) {
setcookie("TestCookie", htmlspecialchars($_POST['val']), time()+3600);
}
print_r($_COOKIE);
Prints:
Array
(
[TestCookie] => blabla
[PHPSESSID] => el4ukv0kqbvoirg7nkp4dncpk3
)
PHP uses one of two methods to keep track of sessions. If cookies are enabled, like in your case, it uses them.
If cookies are disabled, it uses the URL. Although this can be done securely, it's harder and it often, well, isn't. See, e.g., session fixation.
Search for it, you will get lots of SEO advice. The conventional wisdom is that you should use the cookies, but php will keep track of the session either way.
PHPSESSID reveals you are using PHP. If you don't want this you can easily change the name using the session.name in your php.ini file or using the session_name() function.
It's the identifier for your current session in PHP. If you delete it, you won't be able to access/make use of session variables. I'd suggest you keep it.
Check php.ini for auto session id.
If you enable it, you will have PHPSESSID in your cookies.
PHPSESSID is an auto generated session cookie by the server which contains a random long number which is given out by the server itself
Using cookies in PHPv7.4 and Microsoft Edge browser, PHPSESSID only seems to be generated when first loading/initializing a web app. If I remove the cookie the browser setting (but keep the web application tab open), it kills the session and forces me to login again. However when I log back into the web application the PHPSESSID cookie does not regenerate and yet I still have my session variables working as expected.
I was testing this because I have a web app that loads an external form (from another site) within an iframe and when the form submits and redirects back to my web app (within the iframe) it loses the session within the iframe. Removing the PHPSESSID cookie fixed the problem of losing the session, but I'm not sure why the cookie is the problem (but that is for another thread).
I have 2 pages: login.php and index.php. Both pages start with
session_start();
When I set
$_SESSION['user'] = "name";
in login.php and than open index.php, my session object is empty. How come?
EDIT:
I found the problem: IE 7. I had to grand access to my domain. However, I thought a session is stored on the server, instead of the client? Than why do I have IE grand access to my domain? (http://www.pcwindowstips.com/2007/09/04/how-to-enable-cookies-in-internet-explorer-7/)
I thought a session is stored on the server, instead of the client? Than why do I have IE grant access to my domain? (http://www.pcwindowstips.com/2007/09/04/how-to-enable-cookies-in-internet-explorer-7/)
The way sessions work is that a session cookie is stored for the site, which contains your session ID. The only way the server knows who you are is when it reads the session ID cookie on every page load. All of the $_SESSION data is stored on the server for each user, but the cookie must be set for the server to know which $_SESSION data to retrieve.
This is also why you can essentially "become" another user if you obtain their session id cookie.
Internet Explorers have a stricter cookie policy than most other browsers. Check your session cookie parameters (see also session_get_cookie_params()) and try to replace the default values by explicit values where possible. Additionally you might send a [fake P3P policy](http://msdn.microsoft.com/en-us/library/ms537343(VS.85).aspx) to satisfy the Internet Explorers.
Perhaps this variable in php.ini is mapping to an existing path
session.save_path = "c:/wrong/path"
Here is something that happened to me that might shed light for someone. My session wasn't working properly. IE 8 and Firefox were losing the session information.
I included a file. That included file had an extra carriage return after the trailing &ques?>
That carriage return started the session. I put session_start after the include. BOOM.
Not much info here, I'll try to use my psychic powers.
After the user logs in, do you set the session var and then redirect the user to index.php using an http header? If so, I don't think the session cookie gets sent to the user. If that is the case, the solutions are:
call session_start() when the login form is initially displayed (not just after the user posts back to it); or:
display a "login successful!" message and then redirect with a meta-refresh, or just provide a link to index.php.
You can also try to dump the session ID on both pages, to see if you are somehow starting a new session:
echo 'Session ID is: ' . SID . "<br/>\n"
You need verify if the cookies are enabled and nothing ( this includes blank lines in the beginning or in the end of archive) sent to browser before you call session_start().