0

I had a look at this post, but I do not understand if using this code
I'm vulnerable to session fixation attacks:

myPage.php

<?php

ini_set("session.use_cookies",0);
ini_set("session.use_only_cookies",0);
ini_set("session.use_trans_sid",1);

session_start();

$_SESSION['myName'] = "myNameIsOk";

if($_SESSION['myName'] === "myNameIsOk" ){
    print_r($_SESSION);
    print_r($_COOKIE);
}

?>

I'm using only this code as it is, and I'm not using URL parameters or any other stuff, so
is this code vulnerable to php session fixation attacks? If yes, how? I'm not a php expert..
Can you post an example of the attack?

Community
  • 1
  • 1
  • You are passing the session id using the URL so no this is not safe. – PeeHaa Oct 13 '14 at 09:57
  • What is unclear about the linked post? Because you have done the exact opposite of what you should do. – PeeHaa Oct 13 '14 at 09:58
  • @PeeHaa If I keep the default session cookies, the session ID will be also passed to the URL or not? –  Oct 13 '14 at 09:59
  • No never. The default is to use session cookies. – PeeHaa Oct 13 '14 at 10:00
  • Setting a session variable and then immediately checking its value doesn't contribute to anything. – Ja͢ck Oct 13 '14 at 10:01
  • Ok, now it is more clear: by using of the cookieless session way, I automatically will pass these parameters to the URL, and now I understand that it is no good.. So I think that I'll never use this method.. Thank you for help :) –  Oct 13 '14 at 10:04

1 Answers1

-4

The session fixation attack can append when you use url to pass an ID, for example :

http://unsafe.example.com/?SID=I_WILL_KNOW_THE_SID

If an other person visit this link, he can have an access to an other people account.

To avoid this you must do not accept session identifiers from GET / POST variables.

Don't use :

ini_set("session.use_trans_sid",1);

But :

ini_set("session.use_trans_sid",0);

It disable the transparent SID support.

URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.

You can read more about session fixation here :

http://en.wikipedia.org/wiki/Session_fixation

ghorg12110
  • 36
  • 6