• Mailing Lists
• Virus
• NetTools
• Software
• Home

PHP Patch to minimize Session Fixation Risks

 Background

First of all, you should be aware of the risk named "Session Fixation" (see this link).
As stated in the official PHP:

"The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it."

This patch gives you the opportunity to strengthen your PHP applications by adding more controls on session usage.

 Technical Details

The basic idea is very simple:

the patch makes additional tests with the client IP Address and the browser characteristics to make sure the session specified by a cookie or a SID matches the session owner.

When a user creates a session, a new session variable (named _SESSIP_ by default) is created. Its value is the client's IP address.
When the user gives this session ID later, a test is made to check the user is the session creator/owner.

This prevents Session Fixation when the innocent user and the evil hacker are not behind the same proxy or NAT device: their IP address are different and so they cannot use one other's session.

This solution is far from perfect: it is intended as a quick method to strengthen applications Administrators must manage but not maintain.

The patch must face with IP address dynamic allocation used by ISP such as AOL and it cannot protect users behind a Proxy or a NAT Gateway against his/her "colleagues", etc...

So another test, base on the browser characteristics (HTTP_ACCEPT_LANGUAGE and HTTP_USER_AGENT) has been included and the IP address checking can take the network class (A,B or C) in account, to avoid legitimate users to loose their session.

The following new entries of "php.ini" can be set to change the patch behaviour:

session.checkip	boolean that activates or deactivates the test	on
session.classmask	boolean that activates or deactivates the use of network class mask when comparing IP addresses	on
session.ipname	name of the session variable that contains the owner's IP address	_SESSIP_
session.checksign	boolean that activates or deactivates the browser characteristics test	on
session.signname	name of the session variable that contains the browser characteristics	_SESSSIGN_

When "session.checkip" is "on" and the patch detects a forbidden use of a session, it generates the following message in the Apache error log:

Client with IP Address 'a.b.c.d' tries to use the session defined by Client with IP Address 'x.y.z.t'

When "session.checksign" is "on" and the patch detects a forbidden use of a session, it generates the following message in the Apache error log:

Client with IP Address 'a.b.c.d' tries to use the session defined by another Client

 How to apply the patch:

1. Get and extract the PHP 4.3.5 source:
   
   # cd /opt
   # tar xvfz php-4.3.5.tar.gz
   # cd php-4.3.5
   # ./configure --with-your-options...
   
   
2. download the patch [MD5 checksum: 02b9276997ee876daf11805d644b32b0]
   
   
3. Apply the patch on the source tree:
   
   # cd /opt
   # patch -p0 < session-fixation-php-4.3.5.patch
   # cd php-4.3.5
   # make
   # make install