Cookie or not Cookie

Introduction

On a lot of forums I found this basic question about PHP sessions:

How to know if the client accept cookies ?

The easyest way I found is to start a session and look at the constant SID.

About sessions :

On the PHP manual you can find this introduction about sessions:

"Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL."

As propagating the session id in the URL isn't the safest way to do, most of sites use cookies, but users can choose to not accept cookies and the session id is propagated in the URL. By default the directive session.use_trans_sid is set to false, urls are not rewritten to send the SID and sessions are not available for users who don't accept cookies (see also directive session.use_only_cookies).

To avoid this you can :

• enable session.use_trans_sid and modifiy the directive url_rewriter.tags to set wich urls are rewritten

• or for some cases, manage yourself how urls are written depending on the user.

How to manage sessions without transparent SID?

First we have to know if the user accept cookies or not. When the session start (session_start()), the constant SID is defined and receive the session id if you don't use cookies, or an empty string ('') if you use cookies.

Example :

//to be sure use_trans_sid is disabled ini_set('session.use_trans_sid',0); //we start the session session_start(); if (SID=='') { //cookies are enabled $suffix =''; } else { //cookies are disabled //SID value is something like this: PHPSESSID=e3ba164e69b43fe5ee1a2f76355cb4ba $suffix = '?'.SID; // or $suffix ="?PHPSESSID=".session_id(); } if (!isset($_SESSION['count'])) $_SESSION['count'] = 0; else $_SESSION['count']++; echo '<a href="'.$PHP_SELF.$suffix .'">Reload this page</a>'; echo '<p>You have seen this page '.$_SESSION['count'].' times.</p>';

On the example, you can see that we send the GET variable PHPSESSID between each page to keep current session if cookies are disabled. On forms you can use an hidden input and send PHPSESSID by POST or GET method. But propagating the session id by url isn't safe because everybody can get your information if they found your session id, so I would suggest a way to add more security.

Suggesting a security issue

A basic issue is to change the session id between each pages. On the example below, uncomment line 11 and replace line 10 by session_regenerate_id(true) ; ( true to delete old sessions )

Another solution, is to have a fixed session id and use an temporary id to send in the URL. For this solution, you have to store an table of temporary id and corresponding sessions id, there is different way to do: file, database or shared memory. The example below use shared memory, it is given as a demonstration without any guarantees, I strongly advise to complete it to prevent attacks for sessions by cookies.

<?php ini_set('session.use_trans_sid',0); class shm_session { // $size = size of memory to allocate for sessions 1M-> +13100 sessions (6b/7b for array + 80b for each entry) // $address = memory address where to store table of TID and corresponding SID // [!] take care [!] before changing these values ($size and $address) you have to clean memory with method shm_session::clean_mem() private static $size='2M', $address=0xfff; // DO NOT CHANGE : internal use for semaphores private $sem=false; // The unique instance of this class (see singleton pattern) private static $instance; // The temporary id public $tid=false; // DO NOT CHANGE : true if user accept cookies, either false public static $cookie = false; // Private constructor private function shm_session($tid) { //We turn on output buffering otherwise headers are sent when we open shared memory and session can't start: ob_start(); // define the readable memory size $this->init_size(); // when we can we reserve the access to the block of memory with semaphore: if (is_callable('sem_get')) { $this->sem = sem_get (self::$address); if(!sem_acquire ($this->sem)) { trigger_error("Can't reserve shared memory address : ".self::$address,E_USER_WARNING); $this->sem=false; } } $datas = $this->read_datas(); if (isset($datas[$tid])) { //we force to load the right session $_GET['PHPSESSID']=$datas[$tid]; unset($datas[$tid]); } session_start(); //if cookies are enabled: if (SID=='') { self::$cookie = true; $this->tid=''; // we define the constant TID. Like SID if the user accept cookies TID value is an empty string if (!defined('TID')) define('TID',''); } else { // we define the new temporary id and save it in the shared memory: $this->tid= $this->regenerate_id() ; $datas[$this->tid]=session_id(); $this->write_datas($datas); // we define the constant TID. Like SID if the user doesn't accept cookies TID value is the string to send in the url if (!defined('TID')) define('TID','TID='.$this->tid); } if ($this->sem!==false) sem_release($this->sem); //Send the output buffer ob_end_flush(); } //to avoid clone of the object (see singleton pattern) private function __clone(){} // this method implement a basic conversion of the memory size // you can write 1M or 1024K or 1048576 (int or string) for size (1M500K make an error) private function init_size() { $size = self::$size; if (is_string($size)) { $c = strlen($size)-1; if ($size[$c]=='M'){ $size = ((int)$size) *1024*1024; } elseif ($size[$c]=='K') { $size = ((int)$size) *1024; } self::$size = (int)$size; } } // define here your own temporary id private function regenerate_id() { $tid= microtime(); if (isset($_SERVER['REMOTE_ADDR'])) $tid.= $_SERVER['REMOTE_ADDR'] ; if (isset($_SERVER['HTTP_USER_AGENT'])) $tid.= $_SERVER['HTTP_USER_AGENT']; // by default we return a hash of 32 characters return md5($tid); } private function open() { $shm_id = @shmop_open(self::$address, "c",0600, self::$size); if (!$shm_id) { if ($this->sem!==false) sem_release($this->sem); trigger_error("Can't open shared memory at address : ".self::$address,E_USER_WARNING); exit; } return $shm_id; } private function close($shm_id) { return @shmop_close($shm_id); } private function read_datas() { $shm_id=$this->open(); $datas = @shmop_read($shm_id, 0, self::$size); if (!$datas) $datas=array(); else { $datas = trim($datas); $l = strlen ($datas); $datas = unserialize($datas); //we delete the oldest session TID if memory is full if ($l>=(self::$size - 128) && is_array($datas)) { array_shift($datas); //we clean all the memory: @shmop_delete($shm_id); @shmop_write($shm_id,serialize($datas),0); } } $this->close($shm_id); return $datas; } private function write_datas($datas) { $shm_id = $this->open(); @shmop_write($shm_id, serialize($datas), 0); $this->close($shm_id); } public static function show_mem ($address = false) { if ($address===false) $address = self::$address; $shm_id = @shmop_open($address, "a", 0, 0); if (!$shm_id) return trigger_error("Can't open shared memory at address : ".$address,E_USER_WARNING); $shm_size = shmop_size($shm_id); $datas=trim(@shmop_read($shm_id,0,$shm_size)); @shmop_close($shm_id); $l= strlen ($datas); if (!$datas || $datas == '') return trigger_error("Shared memory at address : ".$address.' is empty',E_USER_WARNING); $d = @unserialize($datas); if (!is_array($d)) echo "<p><b>shm_session datas not found !</b></br>&nbsp;&nbsp;Returned String:</br>&nbsp;&nbsp;".$datas."</p>"; else { $c = count($d); $str=" <font size='1'> <table dir='ltr' border='1' cellspacing='0' cellpadding='1'> <tr> <th align='left' bgcolor='navy' colspan='3'> <span style='background-color: blue; color: white; font-size: x-large;'>( ! )</span> <span style='color: white;'><b>Shared Memory Status at address $address: $l used of size <i>$shm_size</i></b></span> </th> </tr> <tr><th align='left' bgcolor='aqua' colspan='3'>shm_sessions in memory: $c</th></tr> <tr> <th align='center' bgcolor='#eeeeec'>#</th> <th align='left' bgcolor='#eeeeec'>Temporary ID</th> <th align='left' bgcolor='#eeeeec'>Session ID</th> </tr>"; $i = 1; foreach ($d as $tid=>$sid) { $str.="<tr> <td bgcolor='#eeeeec' align='center'>$i</td> <td bgcolor='#eeeeec' align='left'>$tid</td> <td bgcolor='#eeeeec' align='left'>$sid</td> </tr>"; $i++; } $str .= "</table></font>"; echo $str; } } // delete memory block when you want to change the size or the adress public static function clean_mem($address = false) { if ($address===false) $address = self::$address; $shm_id = @shmop_open($address, "w", 0, 0); @shmop_delete($shm_id); @shmop_close($shm_id); } public static function create($tid=false) { if (!isset(self::$instance)) self::$instance = new shm_session($tid); return self::$instance; } //start a shm_session getting TID by POST or GET : public static function start() { $tid = isset($_POST['TID']) ? $_POST['TID'] : (isset($_GET['TID']) ? $_GET['TID'] : false); return self::create($tid); } } ?>

All is explained commented in the code, completed by the notes and the example below.

NOTES: The class shm_session use singleton pattern to have only one instance of the class (one session = one object only).

To create a new shm_session object you have the choice between two static methods :

• shm_session::create(optional $tid) // if you want to specify the temporary id by hand
• shm_session::start() // if the temporary id is send by GET or POST

Unless the visitor use cookies, if $tid is false or if no temporary id is found a new session start with a new temporary id, otherwise while constructing, the session id is got in the shared memory and the session start as if it was sent by url. You can use the static variable shm_session::$cookie to know if the visitor accept cookies and the constant TID to send the temporary id to the next page.

There is also two others public statics methods :

• shm_session::clean_mem(optional $address) // if you want to clean a memory segment
• shm_session::show_mem(optional $address) // to see all stored sessions and temporary ids

If you want to change the size of memory, or the address you have to clean it before with the method clean_mem , otherwise it may not function and return errors.

As semaphores don't function on Windows, they're not required but it's more safe with them. (not tested without)

EXAMPLE :

<?php //include the file that contain the class shm_session include_once('shm_session.php'); if (isset($_GET['clean'])) { // how to clean memory shm_session::clean_mem(); } // we start the session (the temporary id is automatically detected in GET variable) $shms = shm_session::start(); //an another method to start the session by hand: // $tid = isset($_GET['TID']) ? $_GET['TID'] : false; // $shms = shm_session::create($tid); // we set the suffix $suffix = '?'.TID; /* another method to set the suffix depending on the visitor preferences about cookies if (shm_session::$cookie) { // User accept cookies $suffix =''; } else { $suffix ="?TID=".$shms->tid; } */ if (!isset($_SESSION['count'])) $_SESSION['count'] = 0; else $_SESSION['count']++; $PHP_SELF = $_SERVER["PHP_SELF"]; echo '<a href="'.$PHP_SELF.'?clean=1">Clean Shared Memory Sessions</a></br>'; echo '<a href="'.$PHP_SELF.'">Reload this page with a new session</a></br>'; echo '<a href="'.$PHP_SELF.$suffix.'">Reload this page</br></a>'; echo '<p>You have seen this page '.$_SESSION['count'].' times.</p>'; // we show the memory status: shm_session::show_mem(); ?>

EXAMPLE SCREEN SHOOT :

Conclusion

We have seen that sessions in PHP are not easy as we can think. There is a lot of potential risks of security, we cannot just make a session_start( ) and pray god to save us from attacks.

As sessions by cookies are safest and because I think it's better to prevent attacks depending on the user preference about cookies, I've presented a way to protect sessions only when you don't use cookies letting you free to choose your method for sessions by cookies. Then I just aim at introduce basic concept, and let you dig to find your solution and not just copy and paste mine (it's more secure for my sites and for yours) so I give below some tracks to improve security that can be used with shm_session or not.

The method suggested at the PHP security consortium site (see one example here) use a fingerprint with user consistant informations (like user agent) that permit to identify if the visitor is the same between each pages, you can save the fingerprint in the variable $_SESSION or why not in the shared memory.In despite it reduce risks of hijacking attacks (it's a good idea to implement it), I have a critic about, if someone have captured your session id (the base for hijacking), I don't think it's difficult for him to have your user agent and sending it in his headers (if he has your session id he certainly has already captured your headers). With a simple PHP script that implement a browser everybody can send modified headers, as this method is well known it's not a security insurance. Another track can be to regenerate the session id if the user accept cookies and store it in the shared memory at the key of the temporary id, this would not break sessions when an user alternate connections with cookie and without, but this not protect efficiently againt hijacking attacks. Finally you can use shared memory with shm_session to store other informations (see session_set_save_handler ), and with solutions presented in this article I hope you have basis for a better protection against attacks on sessions and a better comprehension of sessions.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPL)

About the author