There is a very strange issue with PHP session when you prefer session to save in files other than database (normal session).

The problem is: some times you can access all the saved session values from $_SESSION and sometimes it returns a empty array.

If you refresh 10 times, perhaps 4 times you will get session and 6 times you will get it empty.

The problem is not due to domain level security or session expiry . It is due to session file location. If you run a phpinfo() function in any of your page, you can see there is a part of sessions. There you can see a session variable session_save_path and it will be pointing to /tmp/ or /etc/somefolder or /var some folder inside the linux file architecture.

Since at clouds, different servers server at different time, some server can see the exact saved files in that location and some server cannot. (Since /tmp etc directories are not shared among them)

Solution:  Call the below php function and set session file path inside your web root . You need to call this function before your session_start() call

eg:

session_save_path(‘/mnt/stor1-wc2-dfw1/4675/5044/to/your/website/rootfolder/or/inner/directory‘);

For windows users as well, this is the solution. This problem occurs in ASP application as well.

Thanks

Sajith

Tags: $_session, asp, cloud, empty, error, php, refresh, saving, server, session, session not saving, session_save_path, session_start

Guess what will happen if you add an image like below in your html page:

<img src=”http://mail.google.com/mail/?logout&hl=en”  />

It does not appear in page, but your google account in another window or another tab will get logoff. Now an external website could logout you from your gmail or orkut.

IF you coded your website to delete a photo or object from the website, like this: www.domainname.com/photos/delete?id=221, you may think , since you are checking user authentication at server side, no one else can delete your file. But what if you are logged in one tab and in the second tab, you are loading another website (of hacker or attacker), he can place lots of hidden images with src = www.domainname.com/photos/delete?id=22 ( he can try with ids from 0 to 1000 or 10,000, and anyone of them may be your object)

Here the authentication is okay , because the cookies and session is already set in another tab, and it affects (update or delete) your content.

Those who think , I use POST method , so it is safe. Sorry, you are wrong. A javascript can also simulate a post method, and by using this, an external website can update your form (For example they can run a form submission for changing the email which you registered with and later they can reset password to hack your account)

It won’t happens if you use captcha. But for all forms it is very hard to use CAPTCHA everywhere. You can solve this attack using additional parameter (some string combination which is generated randomly) along with GET url or POST form submission.

For example, check the url to delete a mail in gmail.

http://mail.google.com/mail/?ui=2&ik=42e598c952&at=xn3j2ufyx273muje67ot1fsxsnbmnl&
view=up&act=tr&rt=j&search=inbox

There is some extra string alone with useful information as parameter. So an external application cannot predict the exact url to delete a particular mail, so img with src= url fails here.

Same thing is also needed in POST method. Add one hidden field for random string and check the string before updating into database from Server.

This problem is called CSRF – Cross Site Request Forgery

Thanks
Sajith

Tags: cookie, csrf, get, gmail, hack, hacker, post, safety, security, session, web application