Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHP session handler ignores session.use_strict_mode #1033

Closed
1ma opened this issue Nov 24, 2016 · 3 comments
Closed

PHP session handler ignores session.use_strict_mode #1033

1ma opened this issue Nov 24, 2016 · 3 comments

Comments

@1ma
Copy link

1ma commented Nov 24, 2016
edited
Loading

overview of the problem

session.use_strict_mode prevents the user agent from setting its own key value for its session. However, when using the Redis session handler this setting is currently being ignored. Unfortunately this prevents a PHP application using the Redis session handler from protecting against session fixation attacks.

steps to reproduce

  1. add these settings to your php.ini:
; assumes you have the php-redis extension installed
session.save_handler = redis

; assumes you have a redis daemon running on localhost
session.save_path = "tcp://localhost:6379"

session.use_strict_mode = 1
  1. create and serve this simple script (the built-in PHP server will do)
<?php

session_start();

if (!isset($_SESSION['visits'])) {
  $_SESSION['visits'] = 0;
}

$_SESSION['visits']++;

// this helps to confirm that the session.use_strict_mode setting is turned On
phpinfo();

echo "You have visited us {$_SESSION['visits']} times\n";
  1. poke the server with curl o a similar utility. Here I use HTTPie:
1ma@werkbox:~$ http -v 127.0.0.1 Cookie:PHPSESSID=madeupkey
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=madeupkey
Host: 127.0.0.1
User-Agent: HTTPie/0.9.6

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Connection: close
Content-type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Host: 127.0.0.1
Pragma: no-cache

<!-- phpinfo(); output snipped out -->

You have visited us 1 times
  1. Confirm that the client-defined key has been created:
1ma@werkbox:~$ redis-cli
127.0.0.1:6379> keys *
1) "PHPREDIS_SESSION:madeupkey"

This has been tested against PHP 7.0.13, redis-server 3.2.5 and php-redis 3.0.0
@yatsukhnenko yatsukhnenko added this to the 3.2.0 milestone Nov 25, 2016
@1ma
Copy link
Author

1ma commented Nov 25, 2016
edited
Loading

Just for completeness sake, this would be the expected behavior:

; php.ini
session.save_handler = files
session.save_path = /tmp
session.use_strict_mode = 1

1ma@werkbox:~$ http -v 127.0.0.1 Cookie:PHPSESSID=madeupkey
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=madeupkey
Host: 127.0.0.1
User-Agent: HTTPie/0.9.6

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Connection: close
Content-type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Host: 127.0.0.1
Pragma: no-cache
Set-Cookie: PHPSESSID=4v3lkha0emji0kk6lgl1lefsi1; path=/

You have visited us 1 times

1ma@werkbox:~$ ls -l /tmp
-rw------- 1 1ma 1ma   11 nov 25 13:50 sess_4v3lkha0emji0kk6lgl1lefsi1

@1ma 1ma mentioned this issue Jan 24, 2017
Closed
@yatsukhnenko yatsukhnenko mentioned this issue Jun 16, 2017
Closed
@marcing
Copy link

marcing commented Mar 4, 2018

What's the status?

@yatsukhnenko yatsukhnenko removed this from the 4.0.0 milestone Apr 22, 2018
@hongboliu hongboliu mentioned this issue May 23, 2018
Merged
@yatsukhnenko
Copy link
Member

Should be fixed by #1351

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcing @yatsukhnenko @1ma