CodeIgniter Forums

Full Version: Session Validation
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I'm struggling to figure out how the session id validation should work. (CI version 3.1.11, PHP 7.2)

1. Nobble the cookie session value to some 32 character string in the browser
2. Submit the request

I would expect the submitted cookie value to be ignored i.e. a new session id to be generated as per use_strict_mode but this is not what happens.


Debug:
Session_driver php5_validate_id successfully detects the invalid id and the value of the cookie_name in the $_COOKIE array is unset.
Session_files_driver open function is then called with the user injected session id and subsequently opens a new session using that id.

What am I missing - perhaps I've misunderstood but I thought CI enforced use_strict_mode to prevent this?

Any help gratefully received. Security audit has failed us on this but I know the previous bug in this area was resolved in 3.1.9.
(10-16-2019, 07:47 AM)nicola.jones_redcrake.com Wrote: [ -> ]I'm struggling to figure out how the session id validation should work. (CI version 3.1.11, PHP 7.2)

1. Nobble the cookie session value to some 32 character string in the browser
2. Submit the request

I would expect the submitted cookie value to be ignored i.e. a new session id to be generated as per use_strict_mode but this is not what happens.


Debug:
Session_driver php5_validate_id successfully detects the invalid id and the value of the cookie_name in the $_COOKIE array is unset.
Session_files_driver open function is then called with the user injected session id and subsequently opens a new session using that id.

What am I missing - perhaps I've misunderstood but I thought CI enforced use_strict_mode to prevent this?

Any help gratefully received. Security audit has failed us on this but I know the previous bug in this area was resolved in 3.1.9.
@nicola.jones_redcrake.com,

Have you used the documentation to see where you might be going wrong?  Also, have you tried to troubleshoot or output the cookie value to see what is or isn't in it?
(10-16-2019, 08:22 AM)php_rocs Wrote: [ -> ]
(10-16-2019, 07:47 AM)nicola.jones_redcrake.com Wrote: [ -> ]I'm struggling to figure out how the session id validation should work. (CI version 3.1.11, PHP 7.2)

1. Nobble the cookie session value to some 32 character string in the browser
2. Submit the request

I would expect the submitted cookie value to be ignored i.e. a new session id to be generated as per use_strict_mode but this is not what happens.


Debug:
Session_driver php5_validate_id successfully detects the invalid id and the value of the cookie_name in the $_COOKIE array is unset.
Session_files_driver open function is then called with the user injected session id and subsequently opens a new session using that id.

What am I missing - perhaps I've misunderstood but I thought CI enforced use_strict_mode to prevent this?

Any help gratefully received. Security audit has failed us on this but I know the previous bug in this area was resolved in 3.1.9.
@nicola.jones_redcrake.com,

Have you used the documentation to see where you might be going wrong?  Also, have you tried to troubleshoot or output the cookie value to see what is or is

Yes to both. I don't believe there's anything that needs to be configured to enforce use_strict_mode, looks like CI enforces this. Comment in the code says 'security is king'. This should override any php_ini setting. Correct me if I'm wrong.

On a non ajax request, no cookie is returned from the request.
On an ajax request, the user injected session id is returned in the response cookie.
Either way I don't think a new session file should be written with the user injected id otherwise a subsequent request will find it and use it.
Further information:

Session.php sanitise cookie unsets the cookie name in the cookie array if it doesn't match the regex.
This is working as expected. If the user injected cookie doesn't match the regex a new session is created with new session id. All good.

If the regex does match then there's a call to session_start();
According to the php docs this invokes open and read functions on the session handler.
The open call is doing the session id validation and unsetting the cookie name. However the read function is still called using the user injected session id.
I'm wondering if unsetting the cookie name after the session_start call is sufficient. Feels like the session id has already been read from the cookie by this stage. I can only get the behaviour I'm expecting by additionally clearing out the session_id.

Thoughts?
@nicola.jones_redcrake.com,

Is it possible to see some code and where the error takes place?
Your session should be active before setting any session variables (as you mentioned above).
(10-17-2019, 05:34 AM)php_rocs Wrote: [ -> ]@nicola.jones_redcrake.com,

Is it possible to see some code and where the error takes place?
Your session should be active before setting any session variables (as you mentioned above).

@php_rocs I've attached the 3 CI classes involved but this is the flow:

Browser sends user injected session cookie e.g. 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

Session.php constructor:

Checks the cookie matches the regex etc. (unsetting the cookie name here works correctly and results in a new session with a newly generated id) 
For this use case the the injected session id matches the regex so cookie name is still set.

Then calls session_start() which invokes open and read functions.  

Session_files_driver.php open 
$this->php5_validate_id();   // this was the fix in 3.1.9 for use_strict_mode I believe

Session_driver.php:

PHP Code:
public function php5_validate_id()
{
    if (isset($_COOKIE[$this->_config['cookie_name']]) && ! $this->validateSessionId($_COOKIE[$this->_config['cookie_name']]))
    {
        unset($_COOKIE[$this->_config['cookie_name']]);
    }



Session_files_driver.php read function is still called with the user injected session id so creates a new session using that id:

PHP Code:
public function read($session_id)
{
        // This might seem weird, but PHP 5.6 introduces session_reset(),
        // which re-reads session data
        if ($this->_file_handle === NULL)
        {
            $this->_file_new = ! file_exists($this->_file_path.$session_id);

            if (($this->_file_handle fopen($this->_file_path.$session_id'c+b')) === FALSE)
            {
                log_message('error'"Session: Unable to open file '".$this->_file_path.$session_id."'.");
                return $this->_failure;
            



OWASP says user injected session id should never be used to create a session. Unsetting the cookie in php5_validate_id is insufficient it seems? (not sure why it's called php5 since I can't see any check for php version)