Security bug with PHPSESSID?!
Hy,
i installed the status.net version 1.1.0 in our intranet. All works fine. But there is a heavy situation, that i want to explain: Some users can login and work. Other users can login and work, but not with their profile. They work with another logged in profile. The other user get in the same time the session data from the different user.
Example:
User A > Logged in and post as User A
User B > Logged in and post as User B
User C > Logged in and post as User B and in this time User B post as User C, but User A work still as User A
Whats wrong?
I see that in the case (from User B and C) every status.net url (index.php/?PHPSESSID=se471iuirrasssfddnhsajsd72) is the same. Means, if 2 users get the same PHPSESSID (how is that possible??!), they change the profil.
So, what can i do?!
Thanks. Kind regards,
DeepX
i installed the status.net version 1.1.0 in our intranet. All works fine. But there is a heavy situation, that i want to explain: Some users can login and work. Other users can login and work, but not with their profile. They work with another logged in profile. The other user get in the same time the session data from the different user.
Example:
User A > Logged in and post as User A
User B > Logged in and post as User B
User C > Logged in and post as User B and in this time User B post as User C, but User A work still as User A
Whats wrong?
I see that in the case (from User B and C) every status.net url (index.php/?PHPSESSID=se471iuirrasssfddnhsajsd72) is the same. Means, if 2 users get the same PHPSESSID (how is that possible??!), they change the profil.
So, what can i do?!
Thanks. Kind regards,
DeepX
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Comments
User C has a Firefox 3.6 (very, very, very old...) and get no phpsessionid.
Fair enough. But status.net give him the sessionid from the next logged in user. Why that?
I checked the option 'handle our own sessions' since i know this bug. But i donĀ“t think that this option changed something?!
In this morning for example, i work on statusnet. Every url ended eith the string "?PHPSESSID=se471iuirrasssfddnhsajsd72". So thats my PHPSESSID. I controlled it per phpinfo.
And i got a mail in my outlook with a message from statusnet, that a other user send me a mail. And that url looks like "http://domain/operations/index.php/notice/168?PHPSESSID=qolbntd8tphlp5v1i39vgj7j36"
So, we know what happend, when i click this link.
Where can i switch this "give every link the phpsessid from the user" option off?
# NOTE: change this to your actual StatusNet base URL path,
# minus the domain part:
#
# http://example.com/ => /
# http://example.com/mublog/ => /mublog/
#
And when i changed the line to:
RewriteBase /operations/
I still work with my user and statusnet ignore the PHPSESSID from the link, i think.
Hmm... strange, or?
PHPSESSID usually gets sent as a cookie, so the fact that it's visible for the enduser should come as no surprise. It's just usually hidden from the UI. But if you have a plaintext communication transcript, you'll see it gets sent to the server at every single HTTP request.
So if you have used one user's PHPSESSID on another user's computer, this is expected functionality. If you wish to hide it from the querystring, configure your PHP installation accordingly.