_SESSION weirdness behind a NAT firewall/router: bug?

So here's my logout.php script for all
user types. It does seem to work correclty:

$CookieInfo = session_get_cookie_params();
$_SESSION = array(); // unset all session values

if ((empty($CookieInfo['domain'])) &&
(empty($CookieInfo['secure']))) setcookie(session_name(), '',
time()-3600, $CookieInfo['path']); elseif
(empty($CookieInfo['secure'])) setcookie(session_name(), '',
time()-3600, $CookieInfo['path'], $CookieInfo['domain']);
else
setcookie(session_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain'], $CookieInfo['secure']);
unset($_COOKIE[session_name()]);
session_destroy();

>axlq wrote:

> So here's my logout.php script for all
user types. It does seem to work correclty:

I'm missing session_start() here.....

>What if you just:

session_save_path('/home/mydomain/public_html/lists');
session_name('login_settings');
session_start();
set_cookie(session_name(),'',time()-3600,'/');//or your snippet offcourse
$_SESSION = array();
session_destroy();

>Else, I'm very curious wether you cookies are actually deleted or
not, and if not, what they hold.

In article <48***************************@news2.tudelft.nl> ,
Rik <lu************@hotmail.comwrote:

>axlq wrote:

>> So here's my logout.php script for all
user types. It does seem to work correclty:

I'm missing session_start() here.....

Not really... as I said at the beginning of my original post,
*all* scripts - without exception - include a file that calls
session_start() right at the beginning. I neglected to say that
what I posted for logout.php was an excerpt, not the whole script.

>Else, I'm very curious wether you cookies are actually deleted or
not, and if not, what they hold.

The cookie gets deleted. When I examine the cookie after logging
off in Opera, it says "login_settings: deleted."

>
The real problem is that the web hosting server seems to think that
every computer on my home network shares the same session ID, and I
don't know what to do about it. I haven't made the web site public
yet. I certainly can't do so as long as $_SESSION poses such a huge
security risk. There are much more than just home networks behind
NAT firewall/routers. If multiple people in a large organization
try to access my site, all kinds of conflicts will occur.

-A

>axlq wrote:

>The real problem is that the web hosting server seems to think that
every computer on my home network shares the same session ID, and I
don't know what to do about it. I haven't made the web site public
yet. I certainly can't do so as long as $_SESSION poses such a huge
security risk. There are much more than just home networks behind
NAT firewall/routers. If multiple people in a large organization
try to access my site, all kinds of conflicts will occur.

The web server doesn't keep track of the session like that. It sends a
cookie to the browser with the session id, and the browser keeps track
of the id.

>However, that also depends on your PHP.INI file. You should have
session.use_cookies = 1
in your php.ini file.

>But I'm also not sure why you're using those other calls - such as
session_save_path and session_name(). These should be set up in your
php.ini file and you shouldn't need to override them.

>I'm also not sure why you're using set_cookie on the session name.

It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

>are you sure everything get's executed correctly? No notices when
error_reporting(E_ALL)?

>It could also have something to do with the actual logging in/checking,
maybe post a portion of that code.

>ax**@spamcop.net (axlq) wrote:

>It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

Have you tested this in other NAT environments? The behavior you
describe is not how PHP normally works. I wonder if you are, perhaps
unbeknownst to you, sitting behind a faulty http proxy.

In article <8o******************************@comcast.com>,
Jerry Stuckle <js*******@attglobal.netwrote:

>>axlq wrote:

>>>The real problem is that the web hosting server seems to think that
every computer on my home network shares the same session ID, and I
don't know what to do about it. I haven't made the web site public
yet. I certainly can't do so as long as $_SESSION poses such a huge
security risk. There are much more than just home networks behind
NAT firewall/routers. If multiple people in a large organization
try to access my site, all kinds of conflicts will occur.

The web server doesn't keep track of the session like that. It sends a
cookie to the browser with the session id, and the browser keeps track
of the id.

It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

>

>>However, that also depends on your PHP.INI file. You should have
session.use_cookies = 1
in your php.ini file.

It's set that way already.

>

>>But I'm also not sure why you're using those other calls - such as
session_save_path and session_name(). These should be set up in your
php.ini file and you shouldn't need to override them.

Two reasons:

1. This is a shared server, I don't own php.ini, I didn't want to
use the /tmp path already set in it, and I didn't like the default
session name set in it.

2. I can set my own php.ini, but I may have multiple web sites under
the same account, so I preferred having each site's sessions have
their own path -- therefore I set session_save_path and session_name
in the script. It shouldn't make any difference as long as these
settings are consistent in every invocation of my scripts.

>

>>I'm also not sure why you're using set_cookie on the session name.

That's only to delete the session cookie when logging off. This was
recommended in a php documentation page somewhere, so I pretty much
just lifted the code from there. set_cookie isn't used anywhere else
on my site except for the one logoff script.

-A

Followup to my own post. I think I have solved the problem by
forcing regeneration of the session ID if the session ID has the
value 'deleted' -- like this:

session_start();
if (session_id() == 'deleted')
session_regenerate_id(true);

As far as my tests have shown, this prevents multiple browsers
from sharing the 'sess_deleted' session file on the server, if
those browsers have a deleted session cookie and are attempting to
re-log-in to my site.

This has nothing to do with being behind a NAT.

>Hmmm, when I

file1.php
<?
session_name('check_name');
session_start();
$_SESSION['var1'] = 'something';
?>

file2.php

<?php
session_name('check_name');
session_start();
$_SESSION = array();
setcookie(session_name(),'',time()-3600,'/');
session_destroy();
?>

There doesn't appear a 'sess_deleted' file.

>Allthough you have a workaround now, could you maybe post you total
logout script (for I still think there's the error) and not just
the excerpt? Otherwise, it will haunt me for days :-)

>It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

It does on my systems. But all I uses is session_start() - not all the
rest of the stuff you use.

>>>But I'm also not sure why you're using those other calls - such as
session_save_path and session_name(). These should be set up in your
php.ini file and you shouldn't need to override them.

Two reasons:

1. This is a shared server, I don't own php.ini, I didn't want to
use the /tmp path already set in it, and I didn't like the default
session name set in it.

2. I can set my own php.ini, but I may have multiple web sites under
the same account, so I preferred having each site's sessions have
their own path -- therefore I set session_save_path and session_name
in the script. It shouldn't make any difference as long as these
settings are consistent in every invocation of my scripts.

So? It's a shared server. Sure, someone can access your session info
in /tmp - but only if they know the session id, which is VERY hard to
guess. And BTW - the could access the information in your own
directory, also.

>Just don't keep sensitive information like passwords in the session.

>>>I'm also not sure why you're using set_cookie on the session name.

That's only to delete the session cookie when logging off. This was
recommended in a php documentation page somewhere, so I pretty much
just lifted the code from there. set_cookie isn't used anywhere else
on my site except for the one logoff script.

Whatever. Works fine for me without it just by calling
session_destroy(). Then the cookie would have an invalid session ID,
which is just fine, also.

>I don't think this is a PHP problem - it's in something you're doing.

>Check phpinfo() to ensure your settings are as you expect and you're
using the php.ini you think you're using.

>As for other browsers getting the session information - the only
way they would get this is if the server were sending the same
information and/or the pages are cached somewhere between the
server and your internal network.

>>>>But I'm also not sure why you're using those other calls - such as
session_save_path and session_name().

In article <_-******************************@comcast.com>,
Jerry Stuckle <js*******@attglobal.netwrote:

>>>It sends a cookie to ONE browser. Once this cookie is set and the
session established on the server, the cookie doesn't seem to get
used any more.

It does on my systems. But all I uses is session_start() - not all the
rest of the stuff you use.

Sorry for my sloppiness - the cookie gets READ, but only WRITTEN
once upon the first access to the site, and then again when it's
deleted. If the value of the cookie matches the file name of a
session, it seems to be considered a valid session cookie. So if
the cookie has the value 'deleted' (which session cookies do until
you close the browser), and it matches the ID for sess_deleted on
the server, then sess_deleted gets used for the session, causing
user account collisions.

>

>>>>But I'm also not sure why you're using those other calls - such as
session_save_path and session_name(). These should be set up in your
php.ini file and you shouldn't need to override them.

Two reasons:

1. This is a shared server, I don't own php.ini, I didn't want to
use the /tmp path already set in it, and I didn't like the default
session name set in it.

2. I can set my own php.ini, but I may have multiple web sites under
the same account, so I preferred having each site's sessions have
their own path -- therefore I set session_save_path and session_name
in the script. It shouldn't make any difference as long as these
settings are consistent in every invocation of my scripts.

So? It's a shared server. Sure, someone can access your session info
in /tmp - but only if they know the session id, which is VERY hard to
guess. And BTW - the could access the information in your own
directory, also.

No, they can't. How? An .htaccess file prevents any kind of access
through the web server, and the session files have permissions only
for apache.

>

>>Just don't keep sensitive information like passwords in the session.

I don't. Submitting a correct password during login is what
establishes the session data, which consists of just basic
information like the user ID and last page accessed.

>>>>I'm also not sure why you're using set_cookie on the session name.

That's only to delete the session cookie when logging off. This was
recommended in a php documentation page somewhere, so I pretty much
just lifted the code from there. set_cookie isn't used anywhere else
on my site except for the one logoff script.

Whatever. Works fine for me without it just by calling
session_destroy(). Then the cookie would have an invalid session ID,
which is just fine, also.

I'm going by the php documentation at
http://www.php.net/manual/en/functio...on-destroy.php which
states: "In order to kill the session altogether, like to log the
user out, the session id must also be unset. If a cookie is used to
propagate the session id (default behavior), then THE SESSION COOKIE
MUST BE DELETED" (emphasis mine). The example that follows this
sentence shows how to kill the cookie. I use the expanded example
given at the very bottom of that page.

>

>>I don't think this is a PHP problem - it's in something you're doing.

It's neither a problem or something I'm doing; it's a feature :)

>>Check phpinfo() to ensure your settings are as you expect and you're
using the php.ini you think you're using.

They are and I am.

>>As for other browsers getting the session information - the only
way they would get this is if the server were sending the same
information and/or the pages are cached somewhere between the
server and your internal network.

Well, one way the problem could happen is if two or more browsers
have the same session ID set in their cookie. And that's exactly
what happened here: other browsers have identical cookies, with
the value 'deleted' for the session ID, which corresponds to the
sess_deleted file on the server.

I believe this should even work for valid session IDs if you knew
a valid id and spoofed it from another browser. Log in with one
browser to get a session id, then manually edit the cookie in
another browser to be identical to that in the first browser. Now
both browsers will act as if they're logged into the same user
account.

-Alex

In article <ea**********@blue.rahul.net>, axlq <ax**@spamcop.netwrote:

>>>>>But I'm also not sure why you're using those other calls - such as
>session_save_path and session_name().

I forgot to mention that using session_save_path() set to your own
directory is one way to avoid an early 20-minute session expiration
that one gets on some servers if using the default path. I was
experiencing that. So I went on a search for the reason, during
which I found the trick with session_save_path().

-Alex

>
Of course, if you go and manually edit the session id you're going to
get an identical session. What else do you expect?

But under normal conditions two browsers should not be getting the same
session id. It's a long (32 char, IIFC) hex value which shouldn't be
duplicated - and shouldn't be guessable by chance.

Jerry Stuckle wrote:

>>Of course, if you go and manually edit the session id you're going to
get an identical session. What else do you expect?

But under normal conditions two browsers should not be getting the same
session id. It's a long (32 char, IIFC) hex value which shouldn't be
duplicated - and shouldn't be guessable by chance.

This also illustrates the use of having a good session_id generator.
Its not impossible to guess a session id using brute force and
statistics. Of course, the attacker needs to generate a large number
of session ids to figure out what ones are possibly active, then figure
out which of those have information he wants. The chances of that are
relatively remote, but not out of the realm of possibility. If you're
really worried about security that much, then its something to keep in
mind.

No, as I posted elsewhere in this thread, I've identified the
problem as arising from multiple users sharing the same sess_deleted
session file after logging off and then re-logging in. I think now
it's unlikely to have anything to do with a NAT or http proxy.

I'm not sure what to do about this yet.

>ax**@spamcop.net (axlq) wrote:
Why don't you log people out by just erasing everything in their session
with session_destroy()?

>Does it matter to you whether the session cookie itself is gone?

>Hmmm, is register_globals on in your system? That could be part of what
you're seeing. But again - I don't use cookies to keep track of
sessions. I let the session take care of itself and just destroy it at
the end.