Re: Cookie not conserved across jump

..oO(Puzzled)

On Sun, 19 Apr 2009 09:37:41 -0400,
Jerry Stuckle <jstucklex@xxxxxxxxxxxxx> wrote:

How do you "jump from one program to another"? There is no jump
instruction in PHP (which is good!).

And without any code, it's impossible to tell what you might be doing wrong.

Sorry, I didn't think I needed to specify as there is only one
way to jump...or only one that I know of: header('Location:...')
(if there's more than one, I'd be glad to learn about it/them)

In the WWW this is not considered a jump. You're not jumping anywhere,
but sending the requesting UA (user agent) another URL, which in turn
just leads to another HTTP request. This is called a redirect.

The code in the first page is:

load_up_session_global() ;
build_and_cache_version_1() ;
// at this point, $_SESSION is stocked up with the bits
// the v2 page will need
header( 'Location: refresh_version_2.php' ) ;
exit() ;

1) Where's the session_start() call on the first page?

2) What do the first two functions do?

3) Are your sessions cookie-based? If you also allow the session ID to
be appended to URLs (which you should not for security reasons), you
would have to manually add the magic constant SID to any redirects.

4) Not related to your problem, but still a bug: The Location header
requires an absolute URL, including scheme and hostname. A relative URL
violates the HTTP spec.

refresh_version_2.php:

<?php session_start() ;

// examination shows $_SESSION is empty
// and that the cookie is different

A browser just sends the cookies it received before (let aside JS-
created cookies). You can check with Firefox' Live HTTP Headers (or HTTP
Live Headers? Can never remember the exact name ...) extension, which
cookies and other headers were received from the server and which were
sent back.

Micha
.

Relevant Pages

  • Re: [Full-disclosure] [Webappsec] Paper: Weaning the Web off of Session Cookies
    ... Always good to try and raise the bar, but the world has voted cookies ... Great writeup of the state of the union for Web-based authentication methods. ... your paper is primarily an argument for fixing HTTP ... "If We Wean the Web Off of Session Cookies, This Is Some of What We'd ...
    (Full-Disclosure)
  • Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
    ... Always good to try and raise the bar, but the world has voted cookies ... Great writeup of the state of the union for Web-based authentication methods. ... your paper is primarily an argument for fixing HTTP ... "If We Wean the Web Off of Session Cookies, This Is Some of What We'd ...
    (Bugtraq)
  • Re: Is it possible at all to secure an unencrypted website?
    ... Session cookies or cookies that supply authentication information are just as easily intercepted as query string parameters if the plaintext HTTP data can be sniffed. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Stay on same page after logout
    ... On 8/27/2010 1:19 PM, Bill Braun wrote: ... //Unset the variables stored in session ... I am not using cookies. ... Get Firefox's Web Developer extensions and watch the headers. ...
    (comp.lang.php)
  • Re: Sessions/Cookies between sites
    ... https sites (if the HTTP and HTTPS pages are in the same IIS application, ... used to be possible to share session state, I don't know if that was a bug ... I haven't tried it since IIS 4). ... If cookies are not set to expire or they return before the cookie expires ...
    (microsoft.public.inetserver.asp.db)