Is the $_SESSION secure?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Is the $_SESSION secure?

Neil Kandalgaonkar
I have been making the assumption that in MediaWiki, the $_SESSION is
hidden from the
user. While applications may use the session to obtain data that's later
shown to the user,
there should be no way for the user to obtain the entire $_SESSION
contents.

So, for instance, I can hide a temporary secret there.

Is that a good assumption?

--
Neil Kandalgaonkar ( ) <[hidden email]>

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Roan Kattouw-2
2010/9/23 Neil Kandalgaonkar <[hidden email]>:

> I have been making the assumption that in MediaWiki, the $_SESSION is
> hidden from the
> user. While applications may use the session to obtain data that's later
> shown to the user,
> there should be no way for the user to obtain the entire $_SESSION
> contents.
>
> So, for instance, I can hide a temporary secret there.
>
> Is that a good assumption?
>
As far as I know, yes. MediaWiki sets a session cookie with an ID that
uniquely identifies the session. The session data itself is stored in
some session storage (by default we let PHP handle it, on WMF we stick
it in memcached, I believe). So unless there's some ridiculous
vulnerability allowing people to obtain the value of arbitrary keys in
$_SESSION, you should be fine AFAIK.

Roan Kattouw (Catrope)

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Ryan Lane-2
> As far as I know, yes. MediaWiki sets a session cookie with an ID that
> uniquely identifies the session. The session data itself is stored in
> some session storage (by default we let PHP handle it, on WMF we stick
> it in memcached, I believe). So unless there's some ridiculous
> vulnerability allowing people to obtain the value of arbitrary keys in
> $_SESSION, you should be fine AFAIK.
>

The contents of that session on the server are unencrypted, correct?
Depending on what the secret is, he may or may not want to use it. For
instance, that is probably a terrible place to put credit card numbers
temporarily.

-- Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Trevor Parscal-2
  In fact, I advised Aurthur not to store exactly that (credit card
information) in sessions for this reason - but I also think there are
few things that are as sensitive as credit card information, passwords,
and social security numbers.

- Trevor

On 9/23/10 2:24 PM, Ryan Lane wrote:

>> As far as I know, yes. MediaWiki sets a session cookie with an ID that
>> uniquely identifies the session. The session data itself is stored in
>> some session storage (by default we let PHP handle it, on WMF we stick
>> it in memcached, I believe). So unless there's some ridiculous
>> vulnerability allowing people to obtain the value of arbitrary keys in
>> $_SESSION, you should be fine AFAIK.
>>
> The contents of that session on the server are unencrypted, correct?
> Depending on what the secret is, he may or may not want to use it. For
> instance, that is probably a terrible place to put credit card numbers
> temporarily.
>
> -- Ryan Lane
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Neil Kandalgaonkar
In reply to this post by Ryan Lane-2
On 9/23/10 2:24 PM, Ryan Lane wrote:

> The contents of that session on the server are unencrypted, correct?
> Depending on what the secret is, he may or may not want to use it. For
> instance, that is probably a terrible place to put credit card numbers
> temporarily.

Good point, but in this case I'm just storing the path to a temporary file.

The file isn't even sensitive data; it's just a user-uploaded media file
for which the user has not yet selected a license, although we
anticipate they will in a few minutes.

--
Neil Kandalgaonkar ( ) <[hidden email]>

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Marco Schuster-2
On Fri, Sep 24, 2010 at 1:36 AM, Neil Kandalgaonkar <[hidden email]> wrote:

> On 9/23/10 2:24 PM, Ryan Lane wrote:
>
>> The contents of that session on the server are unencrypted, correct?
>> Depending on what the secret is, he may or may not want to use it. For
>> instance, that is probably a terrible place to put credit card numbers
>> temporarily.
>
> Good point, but in this case I'm just storing the path to a temporary file.
>
> The file isn't even sensitive data; it's just a user-uploaded media file
> for which the user has not yet selected a license, although we
> anticipate they will in a few minutes.
If it's user-uploaded, take care of garbage collection; actually, how
does PHP handle it if you upload a file and then don't touch it during
the script's runtime? Will it automatically be deleted after the
script is finished or after a specific time?

Marco


--
VMSoft GbR
Nabburger Str. 15
81737 München
Geschäftsführer: Marco Schuster, Volker Hemmert
http://vmsoft-gbr.de

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Tim Starling-2
On 24/09/10 10:00, Marco Schuster wrote:
> If it's user-uploaded, take care of garbage collection; actually, how
> does PHP handle it if you upload a file and then don't touch it during
> the script's runtime? Will it automatically be deleted after the
> script is finished or after a specific time?

It's deleted on request shutdown.

-- Tim Starling


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Dmitriy Sintsov
* Tim Starling <[hidden email]> [Fri, 24 Sep 2010 11:15:41
+1000]:
> On 24/09/10 10:00, Marco Schuster wrote:
> > If it's user-uploaded, take care of garbage collection; actually,
how
> > does PHP handle it if you upload a file and then don't touch it
during
> > the script's runtime? Will it automatically be deleted after the
> > script is finished or after a specific time?
>
> It's deleted on request shutdown.
>
One probably can rename it to another temporary name? Then move to final
location during the next request, according to previousely passed
cookie?

Speaking of cookies, there are millions ways of looking at them, FF's
WebDeveloper extension, HTTP headers extension, Wireshark application to
name just few. Absolutely non-secure, when unencrypted.
Dmitriy

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Robert Leverington-4
On 2010-09-24, Dmitriy Sintsov wrote:
> One probably can rename it to another temporary name? Then move to final
> location during the next request, according to previousely passed
> cookie?
>
> Speaking of cookies, there are millions ways of looking at them, FF's
> WebDeveloper extension, HTTP headers extension, Wireshark application to
> name just few. Absolutely non-secure, when unencrypted.

Session data is not stored in cookies, only a unique session identifier
is passed to the client.

Robert

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Dmitriy Sintsov
* Robert Leverington <[hidden email]> [Fri, 24 Sep 2010 06:57:03
+0100]:
> On 2010-09-24, Dmitriy Sintsov wrote:
> > One probably can rename it to another temporary name? Then move to
> final
> > location during the next request, according to previousely passed
> > cookie?
> >
> > Speaking of cookies, there are millions ways of looking at them,
FF's
> > WebDeveloper extension, HTTP headers extension, Wireshark
application
> to
> > name just few. Absolutely non-secure, when unencrypted.
>
> Session data is not stored in cookies, only a unique session
identifier
> is passed to the client.
>
I think the question wasn't about the session data (part of which
(username,id) is passed via cookies, but you're right, only a hash), but
about uploading the file in few "stages".
Dmitriy

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Antoine Musso-3
In reply to this post by Neil Kandalgaonkar
On 24/09/10 01:36, Neil Kandalgaonkar wrote:
> Good point, but in this case I'm just storing the path to a temporary file.
>
> The file isn't even sensitive data; it's just a user-uploaded media file
> for which the user has not yet selected a license, although we
> anticipate they will in a few minutes.

Hello Neil,

The file path might be sensitive, you do not want to potentially expose
your path hierarchy. At least, I would not do it :)

About your issue, assuming the media file has been entered in the
image/media database table :

- When the user is redirected to a new page upon upload, you might just
pass the file ID by parameter / session.

- When the user is allowed to upload several files and then is prompted
for licences, you might just look at the database for files owned by
user for which licence is null.



--
Ashar Voultoiz


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Is the $_SESSION secure?

Platonides
In reply to this post by Tim Starling-2
Neil: Yes.


Tim Starling wrote:
> On 24/09/10 10:00, Marco Schuster wrote:
>> If it's user-uploaded, take care of garbage collection; actually, how
>> does PHP handle it if you upload a file and then don't touch it during
>> the script's runtime? Will it automatically be deleted after the
>> script is finished or after a specific time?
>
> It's deleted on request shutdown.
>
> -- Tim Starling

If the file is not moved away, there's no point in storing its path in
$_SESSION as it won't be available on next request (it could be used for
parameter passing in globals but that's not proper style).

If the file is moved somewhere else, then you need to garbage collect it
in case the upload is never finished.
A find -delete from cron removing files other than a couple of days
could be enough.
It would be nice to be able to attach delete handlers to memcached keys
for the cases when there's "something more" that needs deleting (this is
the same problem we also had with the temp dbs for selenium tests).


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l