_SESSION weirdness behind a NAT firewall/router: bug?

axlq

Someone please tell me if I've discovered a PHP bug.

I'm sitting in front of several computers on my home network, behind
a NAT firewall/router. I am testing my web site on these different
computers (running different browsers, logged in as different users,
etc.). My web site keeps track of users logged in through the use
of $_SESSION.

Here's the bizarre thing: All computers are logged off, then I log
into my web site with one computer -- and when I browse my site from
another computer it behaves as if logged in! And if I log off with
one computer, all other computers subsequently behave as if logged
off! This happens also with different browsers (say IE and Opera)
running on the same machine.

This is especially serious because I have four classes of users:
non-logged-in visitor, logged-in user, paying customer, and
superuser. Logging in as superuser, for example, gives superuser
privileges to ALL computers on my home network!

AAAARRRGH!! I can't figure this out. It seems that $_SESSION is
using *only* my IP address and no unique identifying information
from the browsers on my network. Is this a php bug?

Background:

Here is basically what I'm doing. All scripts first contain a
require_once() directive that includes a file which executes the
following statements right up front:

session_save_pa th("/home/mydomain/public_html/lists");
session_name('l ogin_settings') ;
session_start() ;

(Naturally, the save path exists, and it contains session data
files.) Then, each script calls a function isLoggedOn() to
determine the type of user logged in, if any:

function isLoggedOn()
{
if (isset($_SESSIO N['superuser']))
return 'superuser';
if (isset($_SESSIO N['customer']))
return 'customer';
if (isset($_SESSIO N['user']))
return 'user';
return NULL; // unregistered or not logged in
}

Upon receiving the return value from isLoggedOn(), the script
behaves exactly the way it should depending on what type of user is
logged in. The value of $_SESSION['user'], $_SESSION['customer'],
and $_SESSION['superuser'] is the user's ID in the MySQL table for
that user type; the value is set by a login.php script.

I have three login.php scripts: for normal users, customers, and
superuser. Each login.php script queries the appropriate database
for user ID and password, and then sets some $_SESSION values.
Here, for example, is what happens with $_SESSION when a normal user
logs in. Note that it ensures that the customer and superuser types
are unset upon this login:

if ($sql->rows) {
$userid = $sql->GetValue('id') ;
if ($userid) {
$_SESSION['user'] = $userid;
if (isset($_SESSIO N['admin']))
unset($_SESSION['customer']);
if (isset($_SESSIO N['superuser']))
unset($_SESSION['superuser']);
header("Locatio n: http://www.example.com/userindex.php") ;
} else header("Locatio n: http://www.example.com/login.php?error =1")
} else header("Locatio n: http://www.example.com/login.php?error =1")

Logging off shouldn't leave anything behind from prior users,
deleting all $_SESSION data, killing the session cookie, and finally
calling session_destroy (). So here's my logout.php script for all
user types. It does seem to work correclty:

$CookieInfo = session_get_coo kie_params();
$_SESSION = array(); // unset all session values

if ((empty($Cookie Info['domain'])) && (empty($CookieI nfo['secure'])))
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path']);
elseif (empty($CookieI nfo['secure']))
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain']);
else
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain'], $CookieInfo['secure']);
unset($_COOKIE[session_name()]);
session_destroy ();

I'm at my wit's end, almost ready to manage my own cookies and dump
this PHP session handling stuff. I'd rather not though; I like
having the one session cookie with sensitive data stored on the
server. *Other* sites don't behave this way if I log into them
simultaneously from different computers on my home network. What's
wrong with MY site??

-Alex

Jul 30 '06 #1

Subscribe Reply

3071

Rik

axlq wrote:

So here's my logout.php script for all
user types. It does seem to work correclty:

I'm missing session_start() here.....

$CookieInfo = session_get_coo kie_params();
$_SESSION = array(); // unset all session values

if ((empty($Cookie Info['domain'])) &&
(empty($CookieI nfo['secure']))) setcookie(sessi on_name(), '',
time()-3600, $CookieInfo['path']); elseif
(empty($CookieI nfo['secure'])) setcookie(sessi on_name(), '',
time()-3600, $CookieInfo['path'], $CookieInfo['domain']);
else
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain'], $CookieInfo['secure']);
unset($_COOKIE[session_name()]);
session_destroy ();

What if you just:

session_save_pa th('/home/mydomain/public_html/lists');
session_name('l ogin_settings') ;
session_start() ;
set_cookie(sess ion_name(),'',t ime()-3600,'/');//or your snippet offcourse
$_SESSION = array();
session_destroy ();

Else, I'm very curious wether you cookies are actually deleted or not, and
if not, what they hold.

Grtz,
--
Rik Wasmus

Jul 30 '06 #2

axlq

In article <48************ *************** @news2.tudelft. nl>,
Rik <lu************ @hotmail.comwro te:

>axlq wrote:
> So here's my logout.php script for all
user types. It does seem to work correclty:

I'm missing session_start() here.....

Not really... as I said at the beginning of my original post,
*all* scripts - without exception - include a file that calls
session_start() right at the beginning. I neglected to say that
what I posted for logout.php was an excerpt, not the whole script.

>What if you just:

session_save_p ath('/home/mydomain/public_html/lists');
session_name(' login_settings' );
session_start( );
set_cookie(ses sion_name(),'', time()-3600,'/');//or your snippet offcourse
$_SESSION = array();
session_destro y();

That's what it does already.

>Else, I'm very curious wether you cookies are actually deleted or
not, and if not, what they hold.

The cookie gets deleted. When I examine the cookie after logging
off in Opera, it says "login_settings : deleted."

The real problem is that the web hosting server seems to think that
every computer on my home network shares the same session ID, and I
don't know what to do about it. I haven't made the web site public
yet. I certainly can't do so as long as $_SESSION poses such a huge
security risk. There are much more than just home networks behind
NAT firewall/routers. If multiple people in a large organization
try to access my site, all kinds of conflicts will occur.

-A

Jul 30 '06 #3

Rik

axlq wrote:

In article <48************ *************** @news2.tudelft. nl>,
Rik <lu************ @hotmail.comwro te:
>axlq wrote:
>> So here's my logout.php script for all
user types. It does seem to work correclty:

I'm missing session_start() here.....

Not really... as I said at the beginning of my original post,
*all* scripts - without exception - include a file that calls
session_start() right at the beginning. I neglected to say that
what I posted for logout.php was an excerpt, not the whole script.

Sorry, missed that. As it is an excerpt, are you sure everything get's
executed correctly? No notices when error_reporting (E_ALL)?

>Else, I'm very curious wether you cookies are actually deleted or
not, and if not, what they hold.

The cookie gets deleted. When I examine the cookie after logging
off in Opera, it says "login_settings : deleted."

Hmmz, then I don't think the problem is there. What's the actual content of
/home/mydomain/public_html/lists")? Are the sessions cleaned up?

It could also have something to do with the actual logging in/checking,
maybe post a portion of that code.

Grtz,
--
Rik Wasmus

Jul 30 '06 #4

Jerry Stuckle

axlq wrote:

>
The real problem is that the web hosting server seems to think that
every computer on my home network shares the same session ID, and I
don't know what to do about it. I haven't made the web site public
yet. I certainly can't do so as long as $_SESSION poses such a huge
security risk. There are much more than just home networks behind
NAT firewall/routers. If multiple people in a large organization
try to access my site, all kinds of conflicts will occur.

-A

The web server doesn't keep track of the session like that. It sends a
cookie to the browser with the session id, and the browser keeps track
of the id.

However, that also depends on your PHP.INI file. You should have

session.use_coo kies = 1

in your php.ini file.

But I'm also not sure why you're using those other calls - such as
session_save_pa th and session_name(). These should be set up in your
php.ini file and you shouldn't need to override them.

I'm also not sure why you're using set_cookie on the session name.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 30 '06 #5

axlq

In article <8o************ *************** ***@comcast.com >,
Jerry Stuckle <js*******@attg lobal.netwrote:

>axlq wrote:
>The real problem is that the web hosting server seems to think that
every computer on my home network shares the same session ID, and I
don't know what to do about it. I haven't made the web site public
yet. I certainly can't do so as long as $_SESSION poses such a huge
security risk. There are much more than just home networks behind
NAT firewall/routers. If multiple people in a large organization
try to access my site, all kinds of conflicts will occur.

The web server doesn't keep track of the session like that. It sends a
cookie to the browser with the session id, and the browser keeps track
of the id.

It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

>However, that also depends on your PHP.INI file. You should have
session.use_co okies = 1
in your php.ini file.

It's set that way already.

>But I'm also not sure why you're using those other calls - such as
session_save_p ath and session_name(). These should be set up in your
php.ini file and you shouldn't need to override them.

Two reasons:

1. This is a shared server, I don't own php.ini, I didn't want to
use the /tmp path already set in it, and I didn't like the default
session name set in it.

2. I can set my own php.ini, but I may have multiple web sites under
the same account, so I preferred having each site's sessions have
their own path -- therefore I set session_save_pa th and session_name
in the script. It shouldn't make any difference as long as these
settings are consistent in every invocation of my scripts.

>I'm also not sure why you're using set_cookie on the session name.

That's only to delete the session cookie when logging off. This was
recommended in a php documentation page somewhere, so I pretty much
just lifted the code from there. set_cookie isn't used anywhere else
on my site except for the one logoff script.

-A

Jul 30 '06 #6

Miguel Cruz

ax**@spamcop.ne t (axlq) wrote:

It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

Have you tested this in other NAT environments? The behavior you
describe is not how PHP normally works. I wonder if you are, perhaps
unbeknownst to you, sitting behind a faulty http proxy.

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu

Jul 30 '06 #7

axlq

In article <98************ *************@n ews2.tudelft.nl >,
Rik <lu************ @hotmail.comwro te:

>are you sure everything get's executed correctly? No notices when
error_reportin g(E_ALL)?

Good idea. No unusual notices came from error_reporting (E_ALL)
- just some instances of testing values of nonexistent variables
instead of using isset(), which doesn't affect the logical execution
of the code and isn't related to the problem at hand.

However, my testing to see if the error reporting gave any surprises
*did* clarify that the problem arises from the 'sess_deleted' files
that are left behind in my session path when logging off. It seems
that the 'sess_deleted' file is actually being used as a session ID.

Here is what seems to be wrong:

A. After logging off, re-logging in doesn't re-set the session
cookie. It persists as having the value 'deleted', which is how it
gets set after using set_cookie() with a timestamp of time()-3600 to
force the cookie to expire.

B. The session file 'sess_deleted' - which appears from
session_destroy () in the logoff script - is used as an actual
session by browsers with a 'login_settings ' cookie set to 'deleted'.
Any $_SESSION values introduced by one browser become part of the
$_SESSION in all browsers.

==========

Here's what I did. The first 5 steps are set-up steps.

1. Choose two computers on my end, delete the cookies and clear the
browser cache to start fresh. I also delete any session files in my
session_path on the server, just to make sure it's fresh on that end.

2. Computer A: I open up the Opera browser log in as a normal user.
A session cookie appears in the cookie list, and a file called
sess_99eae3b908 fa57142f08f31a7 eafc6c2 appeared in my session_path
when the browser first accessed the site.

3. Computer A (again): I open up the Firefox browser and log in
as a customer. A session cookie is set properly in the browser,
and a new file sess_4dd766f5f0 bb86404b1e6d872 e59035e appears in my
session_path.

4. Computer B: Open up the IE browser and log in as superuser.
A new file sess_92d1cd69bb 176cb4167c08220 af30be7 appears.
Everything fine so far. So far all three computers are working fine
independently. No surprises from E_ALL error reporting.

5. I log off computer B. The session file disappears and becomes
'sess_deleted' instead. The two browsers on computer A still behave
properly.

OK. HERE'S WERE IT GETS WEIRD.

6. I log off the Opera browser in computer A. The session file
disappears. The browser displays the non-logged-in index page,as it
should. However... there is still ONE 'sess_deleted' file, but with
a new timestamp.

7. I re-log in computer B as superuser. The superuser index page
appears, but no new session file is created! Nothing strange
appears in the E_ALL errors.

8. From computer A, I re-load the non-logged-in index page in Opera.
It loads up the superuser index page that B is seeing! Opera's
cookie manager says of the session cookie, "login_settings : deleted"

9. All this time, the Firefox browser on computer A has
been operating normally in its own session. There has been
no interference so far. Now I log off. The session file
disappears. The browser loads the superuser index page instead of
the non-logged-in index page! Firefox says of the session cookie:
Name: login_settings
Content: deleted

10. Logging off from 'superuser' from any computer logs off all
browsers. There is still one 'sess_deleted' file in my session_path
with a timestamp updated to the logoff time.

>It could also have something to do with the actual logging in/checking,
maybe post a portion of that code.

It now seems to have everything to do with sess_deleted and session
cookies set to 'deleted'. My logoff script follows the example shown
in http://us2.php.net/manual/en/functio...on-destroy.php

-A

Jul 30 '06 #8

axlq

In article <spam-A7BC28.00113331 072006@localhos t>,
Miguel Cruz <sp**@admin.u.n uwrote:

>ax**@spamcop.n et (axlq) wrote:
>It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

Have you tested this in other NAT environments? The behavior you
describe is not how PHP normally works. I wonder if you are, perhaps
unbeknownst to you, sitting behind a faulty http proxy.

No, as I posted elsewhere in this thread, I've identified the
problem as arising from multiple users sharing the same sess_deleted
session file after logging off and then re-logging in. I think now
it's unlikely to have anything to do with a NAT or http proxy.

I'm not sure what to do about this yet.

-Alex

Jul 30 '06 #9

axlq

Followup to my own post. I think I have solved the problem by
forcing regeneration of the session ID if the session ID has the
value 'deleted' -- like this:

session_start() ;
if (session_id() == 'deleted')
session_regener ate_id(true);

As far as my tests have shown, this prevents multiple browsers
from sharing the 'sess_deleted' session file on the server, if
those browsers have a deleted session cookie and are attempting to
re-log-in to my site.

This has nothing to do with being behind a NAT.

-Alex

Jul 30 '06 #10

Similar topics

9671

how to transfer file between two computers behind different boardband router?

by: Eric | last post by:

Hi, I am new to internet programming. I would now like to create a platform which allow two users behind different boardband router to exchange files. There are only two users in the system and I have no right to modify the boardband router. I have check up some p2p applications like jxta and winmx. I have made some guess how the system works: Their is a relay server or a service outside the Internet. Computer A

Java

2785

SQL Server Sercurity Outside the Firewall ...

by: Rajesh Kapur | last post by:

Hello, We use Informix and MySQL on linux/unix to drive our web application. SQL*Server is used only for backend enterprise applications within the firewall. I am trying to get the management to use SQL*Server outside the firewall. They tell me there are security issues with Microsoft products, including SQL*Server, that make it vulnerable to attacks outside the firewall. Can someone please point me to white papers/documentation that...

Microsoft SQL Server

980

Web Service Behind A Firewall Problem

by: Bill Hauver | last post by:

I am attempting to use a web service from my work pc which is behind a firewall. I have used wsdl.exe to create the web service reference class and added it to my project. (this seems to work without a hitch). Before I use this class, I make the necessary calls to instantiate a WebProxy class and then pass in my credentials to set the WebProxy.Credentials property so I can get through the proxy server.

.NET Framework

1774

Internet access behind win xp sp2

by: John | last post by:

Hi I am using ms internet control in my app. It works fine form all machines except from a new one which has win xp sp2 installed. All machines are part of a small business server 2003 domain so have the isa server firewall client as well. Unfortunately I can't find a way to disable xp firewall once it is connected to the domain. How do I get past the xp firewall for internet control to work? Thanks

Microsoft Access / VBA

2415

Listening to a port behind firewall

by: Sean | last post by:

Hi, I'm programming an IRC bot. I'm trying to establish a dcc connection with another IRC client. I give the ipaddress and port number to the client in the request. I listen to that port with TcpListener on IPAddress.Any. The listener never receives a connection. My situation is the bot computer is behind a router. Is there something special that must be done to bind to the router's port? Thanks,

C# / C Sharp

1962

Web services behind firewall/router

by: Coder | last post by:

Is there anyway to access this webservice that is behind a router/firewall? - Thanks.

.NET Framework

1849

Windows XP (Pro) SP2 Firewall

by: =?Utf-8?B?SmF5RFA=?= | last post by:

HELP! I have a small home network setup. One Desktop for me, one dektop for my two girls, a laptop for work, my wife's laptop, and my son's laptop for college work. All in "WORKGROUP" connected through wireless Verizon FIOS broadband router. I had Zone Alarm FREE as the firewall. I also have CAI Anti-Virus. Both CAI Anti-Virus and Zone Alarm FREE needed an update.

.NET Framework

3998

Netgear DG834G (v3) wireless router - firewall rules - port forwarding

by: PW | last post by:

I have a Netgear DG834G (v3) wireless router. I also host an ASP website from my home computer. I had a problem when I first got this router that was blocking requests from outside from seeing the website. I overcame that problem by adding a firewall rule and everything has been working fine for months. Then last night I had my computer hang several times on a file called agp440.sys. After many attempts I finally got that problem...

ASP / Active Server Pages

10739

C# Socket Communication Behind a router

by: cnixuser | last post by:

Hi, I was wondering if someone could give me some general pointers about creating client server applications that would be able to communicate with each other over not just the LAN which I am able to do, but would be able to communicate with each other and exchange filestreams over the internet, meaning in most cases communication with PC's behind a router and / or a gateway server. I have applications that can send messages to each other and...

.NET Framework

9496

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10363

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10164

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10110

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

7512

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

5534

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

4066

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

3669

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

2894

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General