Herr Otto Partz says you're all nothing but pipsqueaks!

Main Menu

SESSION ID via GET in the forum?

Started by Cas, October 02, 2018, 09:14:21 PM

Previous topic - Next topic


Something weird just happened to me. I was navigating the forum without having logged in and I clicked to see the last message of a post. Then I looked at the address line and, to my surprise, the first parameter in the GET line was PHPSESSID, which was assigned a hex chain maybe some 32 characters long. It really called my attention that PHP would send this sensitive information via GET, which anybody could copy and use to impersonate somebody else and I was surprised also that I hadn't seen this before. So I moved to another topic and the parameter wasn't there anymore. I returned to the same topic and no, it didn't do it, so I don't know how to reproduce it. Why could this be?
Earth is my country. Science is my religion.


That's not the forum in particular, but something PHP applications can do if they have trouble setting session cookies.

The first time a page is accessed, PHP doesn't yet know if the browser is accepting cookies or not, so after session_start() is called, SID will be non-empty, and the PHPSESSID gets inserted in all link URLs on that page that are properly using SID.

[...] A work-around is to turn on session.use_only_cookies, but then you lose session data for anyone who has their cookies turned off.

Could it be that you or an extension cleared cookies a short moment before?

Query string session ID used to be "safe", until wi-fi and the NSA happened. HTTPS is in my medium term plans, but it's mostly in the hands of Zak, being hosting configuration.


Oh!  I understand!  So it only happens on first access. In that case, it should be relatively safe. And yes, I think the same thing about Wi-Fi... and the NSA. In fact, it's quite annoying how those guys are everywhere. Most sites are using Google services or somehow link to Facebook, etc. Some of those things make sites inaccessible from Tor. Not good. I have my browser configured to only accept 1st party cookies and to clear them all when it's closed. I also use NoScript. So maybe my browser behaviour "scared" the forum PHP. Still, it is accepting cookies from the forum.
Earth is my country. Science is my religion.