« previous next »
Pages: [1]

Author Topic: SESSION ID via GET in the forum?  (Read 909 times)

Cas

  • Bernie's Brother
  • **
  • Posts: 263
    • View Profile
    • Dimioca Labs
SESSION ID via GET in the forum?
« on: October 02, 2018, 09:14:21 PM »
Something weird just happened to me. I was navigating the forum without having logged in and I clicked to see the last message of a post. Then I looked at the address line and, to my surprise, the first parameter in the GET line was PHPSESSID, which was assigned a hex chain maybe some 32 characters long. It really called my attention that PHP would send this sensitive information via GET, which anybody could copy and use to impersonate somebody else and I was surprised also that I hadn't seen this before. So I moved to another topic and the parameter wasn't there anymore. I returned to the same topic and no, it didn't do it, so I don't know how to reproduce it. Why could this be?
Logged
Earth is my country. Science is my religion.

dreadnaut

  • Skid`s Nightmare
  • **
  • Posts: 716
    • View Profile
    • chezDreadnaut
Re: SESSION ID via GET in the forum?
« Reply #1 on: October 02, 2018, 09:46:37 PM »
That's not the forum in particular, but something PHP applications can do if they have trouble setting session cookies.

From: http://php.net/manual/en/session.idpassing.php
Quote
The first time a page is accessed, PHP doesn't yet know if the browser is accepting cookies or not, so after session_start() is called, SID will be non-empty, and the PHPSESSID gets inserted in all link URLs on that page that are properly using SID.

[...] A work-around is to turn on session.use_only_cookies, but then you lose session data for anyone who has their cookies turned off.

Could it be that you or an extension cleared cookies a short moment before?

Query string session ID used to be "safe", until wi-fi and the NSA happened. HTTPS is in my medium term plans, but it's mostly in the hands of Zak, being hosting configuration.
« Last Edit: October 02, 2018, 09:48:55 PM by dreadnaut »
Logged

Cas

  • Bernie's Brother
  • **
  • Posts: 263
    • View Profile
    • Dimioca Labs
Re: SESSION ID via GET in the forum?
« Reply #2 on: October 03, 2018, 08:27:48 PM »
Oh!  I understand!  So it only happens on first access. In that case, it should be relatively safe. And yes, I think the same thing about Wi-Fi... and the NSA. In fact, it's quite annoying how those guys are everywhere. Most sites are using Google services or somehow link to Facebook, etc. Some of those things make sites inaccessible from Tor. Not good. I have my browser configured to only accept 1st party cookies and to clear them all when it's closed. I also use NoScript. So maybe my browser behaviour "scared" the forum PHP. Still, it is accepting cookies from the forum.
Logged
Earth is my country. Science is my religion.
Pages: [1]
« previous next »