Session Validation |
(10-17-2019, 05:34 AM)php_rocs Wrote: @nicola.jones_redcrake.com, @php_rocs I've attached the 3 CI classes involved but this is the flow: Browser sends user injected session cookie e.g. 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' Session.php constructor: Checks the cookie matches the regex etc. (unsetting the cookie name here works correctly and results in a new session with a newly generated id) For this use case the the injected session id matches the regex so cookie name is still set. Then calls session_start() which invokes open and read functions. Session_files_driver.php open $this->php5_validate_id(); // this was the fix in 3.1.9 for use_strict_mode I believe Session_driver.php: PHP Code: public function php5_validate_id() Session_files_driver.php read function is still called with the user injected session id so creates a new session using that id: PHP Code: public function read($session_id) OWASP says user injected session id should never be used to create a session. Unsetting the cookie in php5_validate_id is insufficient it seems? (not sure why it's called php5 since I can't see any check for php version) |
Messages In This Thread |
Session Validation - by nicola.jones_redcrake.com - 10-16-2019, 07:47 AM
RE: Session Validation - by php_rocs - 10-16-2019, 08:22 AM
RE: Session Validation - by nicola.jones_redcrake.com - 10-16-2019, 08:31 AM
RE: Session Validation - by nicola.jones_redcrake.com - 10-16-2019, 12:37 PM
RE: Session Validation - by php_rocs - 10-17-2019, 05:34 AM
RE: Session Validation - by nicola.jones_redcrake.com - 10-17-2019, 07:19 AM
|