[CLUE-Tech] PHP and Session Cookies

[Jed S. Baer]

On Fri, 25 Oct 2002 14:43:52 -0700 (MST)
grant <grant at amadensor.com> wrote:

> One thing you can do is get all of your vars from $HTTP_POST_VARS if
> they should have been POSTed.  This will prevent URL sneakiness, and you
> will not have to look at the method.  There is an option for making the
> session stuff go on the URL, but it is in the php.ini file, as far as I
> know.

Yeah, that's the enable-trans-sid setting (also setable via .htaccess,
IIRC).

I do get all vars from the $HTTP_POST_VARS already (should switch to
$_POST though). Checking for the method is more along the lines to get an
idea if somebody is probing the site for weaknesses, logging it, and using
that for any pro-active action if necessary. After all, "know your enemy".

> My stuff, I just use the cookie, but I set them to never write to
> disk.  I only expect them to keep it in memory.  If they are entering
> any data that would require a login, but do not trust you enough to
> allow you to drop a cookie, this is a weird situation.

I agree. I just like to be as accomodating as possible, since that's what
I expect from the websites I visit.

> Answer:  Go with the cookie, and use HTTP_GET_VARS and HTTP_POST_VARS to
> decipher where the entries came from.  I can still fake a post as well
> as a GET, so it isn't really more secure.  POSTs only just prevent
> bookmarks. You should be checking the session every time around anyway.

True, I determined hacker will use the POST method as well. But I'm trying
to be Schneieresque here, and plug every hole I can think of. As it sits
now, every php page, except for "create new user" checks for the session,
and I've set the authenticate to check for the cookie.

Thanks,
jed
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5