0

I'm parsing apache logs for a client and notice that phpsessid appears to be shared between different users on same ip. These are shopping cart transactions that are legitimate purchases from legitimate customers hitting a thank you page. I thought it might be a proxy issue (may still be) but it is a TWC ip address and doesn't seem to be a proxy. There are other ips with which this is also happening but this is by far the most prevalent. It's impossible that one user could make these purchases within seconds of each other so the phpsessid is somehow being shared? The only thing that seems logical that could be happening here is that a proxy is sharing them or the server is not differentiating between the users properly.

xx.xx.xx.xx - - [13/Mar/2015:16:38:13 -0500] 0ad491d77a8fdef52f885dc4d9ca10a8 "GET /sc-thank-you/?orderId=287729&contactId=1310551 HTTP/1.1"
...
xx.xx.xx.xx - - [13/Mar/2015:16:43:14 -0500] 0ad491d77a8fdef52f885dc4d9ca10a8 "GET /sc-thank-you/?orderId=287731&contactId=582513 HTTP/1.1"
...
xx.xx.xx.xx - - [13/Mar/2015:16:47:51 -0500] 0ad491d77a8fdef52f885dc4d9ca10a8 "GET /sc-thank-you/?orderId=287733&contactId=1310571 HTTP/1.1"

Researching suggests that using a header like this might be the answer if it is a proxy issue:

Cache-Control: private, no-cache, must-revalidate, no-store, max-age=0

This is a wordpress site and I've grepped the pages to find that the cache control is mostly no-cache with no Private headers but there are many Public headers also. It's a large e-commerce site and I don't want to suggest changes that won't fix the issue. Has anyone ran into this type thing? I'm at a standstill until this is resolved. I need to be able to rely on the phpsessid being unique to a particular user to be able to generate a tracking report from the parsed logs.

Thanks

Edit: These users are from Joshua Tree, CA; Menomonee, WI; and Calagary, AB (Canada).

Edit: The only thing that makes sense to me is that a request has to come in to the server with that phpsessid and the server honors it because it is a valid id and everything else, ip, user-agent, etc. is all the same. I mean, if a request comes in without a phpsessid then the server would start a new session. The question is where does the second, and subsequent users, obtain that phpsessid? This is not a hijacked session as the purchases are legit so something in the middle is caching that id?

observer7
  • 45
  • 1
  • 6
  • Any chance that some cookie being set on the client-side (i.e., Javascript) is actually used to compute the server-side session ID somehow? – Kevin_Kinsey Apr 09 '15 at 16:47
  • How about the same user making several orders? – Yasen Zhelev Apr 09 '15 at 16:48
  • IP Address is no guarantee of unique users. Our office has hundreds of computers- which to the outside world all appear as a single IP. When something is new / exciting, it tends to get passed around the office - and seeing multiple purchases from within our office would not be unusual. This is not necessarily what is causing your issue - but it is a possibility to consider. – Scott 'scm6079' Apr 09 '15 at 16:50
  • @Kkinsey: The phpsessid is legitimate and is generated by the server, I've verified that. – observer7 Apr 09 '15 at 16:51
  • Make sure that the hash is actually the session id and not a hash of something else. – Paul S. Apr 09 '15 at 16:51
  • @Paul S: It is a legitimate session id generated by the server. – observer7 Apr 09 '15 at 16:53
  • @Scott 'scm6079': I'm not depending on the ip address. I have different users with the same PHPSESSID that have the same ip address. They should have different session id. – observer7 Apr 09 '15 at 16:55
  • @YasenZhelev: As noted in OP, these are different users with different orders. – observer7 Apr 09 '15 at 16:56
  • What are the server's settings for session.use_cookies and session.use_only_cookies? – Kevin_Kinsey Apr 09 '15 at 16:59
  • @Kkinsey: session.use_cookies = 1, session.use_only_cookies = 1 – observer7 Apr 09 '15 at 17:01
  • Since you use an out of the box solution, are you sure the session is generated correctly? If the sessionid is based on the IP of the user then it will keep the same session. The IP of users can be the same if all users e.a. are in the same location with the same external IP. Or are using a proxy. I assume you use some kind of login and password verification on an user. Base any logging of the unique id of the verified user. – therebelcoder Apr 09 '15 at 18:11
  • @stevenca: the phpsessid is not based on the ip, it is generated with session_start(). – observer7 Apr 09 '15 at 18:14
  • Maybe this thread will help: [link](http://stackoverflow.com/questions/6076214/why-is-php-generating-the-same-session-ids-everytime-in-test-environment-wamp) – therebelcoder Apr 09 '15 at 18:26
  • @stevenca: Yes, I've read that post and I have considered session_regenerate_id() as something to research as at least part of a solution. As I said in the OP, this is a large e-commerce site and I would like to have a thorough understanding as to how multiple users could have a cookie with the same phpsessid in their requests before I attempt a solution. – observer7 Apr 09 '15 at 18:37
  • Has anyone here had any experience with [Caching Headers](https://isc.sans.edu/forums/diary/The+Security+Impact+of+HTTP+Caching+Headers/17033/)? I wonder if this could be causing the problem that I'm experiencing? – observer7 Apr 14 '15 at 14:55

0 Answers0