Hiding Session Id

**ori** · 09.05.09, 13:36

1 thing i realised is cookies expire on my server every 30 mins on inactivity the way i got around this was setcookie function if ya smart can use it to make a update function for sessions thru cookies

**synergyx2009** · 09.05.09, 20:47

Originally posted by djlee View Post

then if like what im guessing is default LL you pass the sid between pages in the GET header i simply find an xss hole in your site (there is one in a specific location on most LL sites that havent been security checked) and then use this that js file is then able to successfully forward the user to a php page on my site which notes the passed sid which the js file grabbed from the url prior to redirection, then forwards to back to the online user list or whatever thinking that the page just didnt load. (this was a POC, with a little messing i could have had it do all that and still display the page just fine).. i then simply send a message to the owner "hey check out my awesome sig/text/avatar/wateva in my profile, they view it, i grab their sid, jump on their account and commit mass deletion ofcourse since im using JS file with some playing and tweaking, since the JS runs client side and ur on the cookies domain before redirecton i could also steal any cookies stored too, so saving session ids to cookies is also a little bit unsecure, but its a lot more secure than other methods and with other security stuff in there saving sessions or even the uid/passhash to a cookie is perfectly fine

ok but wat happens if session expires after lets say 10 - 15mins. then there is nothing you can do with that hash.

**ori** · 10.05.09, 08:37

the limit on server is used as a default u can set how long til the cookies expire for ur site using a small code

**capofret** · 10.05.09, 11:08

Originally posted by jsyguy23 View Post

im not taken credit for what you gave me this was before you helped me when i was useing

PHP Code:


session_cache_limiter('none'); ///// i put this at top of every page
session_start();
ob_start();
ini_set('url_rewriter.tags', 'ses=$ses');

session_destroy(); /// this at bottom of every page

Options +Indexes
<IfModule mod_php4.c>
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
</IfModule> /// this in haccess file

now im useing a lil bit of what you gave me pluss what oris helped me on

where do i put these??:confused: i tried it but didnt work.

**jsyguy23** · 10.05.09, 12:10

na they wont work thats what i used now i use dif code that loony and ori helped me with

**Anshul** · 10.05.09, 12:11

Originally posted by capofret View Post

where do i put these??:confused: i tried it but didnt work.

after

<?
on every page

PHP Code:


session_cache_limiter('none'); ///// i put this at top of every page
session_start();
ob_start();
ini_set('url_rewriter.tags', 'ses=$ses');

in htaccess

Code:

Options +Indexes
<IfModule mod_php4.c>
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
</IfModule> /// this in haccess file
[/codebox]

**jsyguy23** · 10.05.09, 12:19

Originally posted by Spook View Post

after

<?
on every page

PHP Code:


session_cache_limiter('none'); ///// i put this at top of every page
session_start();
ob_start();
ini_set('url_rewriter.tags', 'ses=$ses');

in htaccess

Code:

Options +Indexes
<IfModule mod_php4.c>
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
</IfModule> /// this in haccess file
[/codebox]

spook this code dont work lol so there no point in showing them where

**jsyguy23** · 10.05.09, 12:23

this is what i use in lava

PHP Code:


session_name("PHPSESSID"); /// top of every page
session_start();
$_SESSION['uid']=$_REQUEST['$sid'];

remove the sid=$sid from all the links

PHP Code:


session_destroy(); // this in your logout code

this is what ori and loony gave me to use and it works

**Anshul** · 10.05.09, 16:41

in htaccess

Code:

php_value session.use_cookies 0 
php_value session.use_trans_sid 0
php_flag register_globals Off
php_value magic_quotes_gpc 0
php_value magic_quotes_runtime 0
php_value magic_quotes_sybase 0

in ur config file or wateve just make sure call that file after <? on that page

PHP Code:


Error_Reporting(E_ALL & ~E_NOTICE);
ini_set('arg_separator.output', '&amp;');
ini_set('session.name', 'SID');
ini_set('session.gc_maxlifetime','3600');
@session_start();
define('SID', session_name().'='.session_id());

login page

PHP Code:


<?
    $nickname = $_POST['nickname'];
    $password = $_POST['password'];
    $q = mysql_query("SELECT id FROM `users` WHERE `nickname` = '".$nickname."' AND `password` = '".md5($password.md5($password))."' LIMIT 1;");
    if(mysql_num_rows($q) == 0)
    {
    echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
    echo "<!DOCTYPE wml PUBLIC \"-//WAPFORUM//DTD WML 1.3//EN\" \"http://www.wapforum.org/DTD/wml13.dtd\"><wml>\n";
    echo "<card title=\"ERROR\" ontimer=\"index.php\"><timer value=\"15\"/><p align=\"left\">\n";
    echo "You are not logged in or your session has been expired<br/>\n";
    echo "</p></card></wml>";
    ob_end_flush();
    exit();
    }
    else 
    {
    $user = mysql_fetch_array($q);
    $id = $user['id'];
    $_SESSION['id'] = $id;
    $_SESSION['password'] = $password;
    }
    
    # other pages links
    echo "<a href=\"index.php?".SID."&amp;nocache=".$nocache."&amp;v=".$v."\">Downloads</a><br/>\n";
    
    
?>

other pages

PHP Code:


<?
# authentication for other pages
$id = $_SESSION['id'];
$password = $_SESSION['password'];
$q = mysql_query("SELECT `level` FROM `users` WHERE `id` = '".$id."' AND `password` = '".md5($password.md5($password))."';");

if(mysql_num_rows($q) == 0)
{
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
echo "<!DOCTYPE wml PUBLIC \"-//WAPFORUM//DTD WML 1.3//EN\" \"http://www.wapforum.org/DTD/wml13.dtd\"><wml>\n";
echo "<card title=\"ERROR\" ontimer=\"index.php\"><timer value=\"15\"/><p align=\"left\">\n";
echo "You are not logged in or your session has been expired<br/>\n";
echo "</p></card></wml>";
ob_end_flush();
exit();
}
else
{
$user = mysql_fetch_array($q);
$level = $user['level'];
}
?>

**ori** · 11.05.09, 11:03

seriously a much smaller code can achieve a beta result lol

and lava lair is already messy enough pmpl

**Anshul** · 11.05.09, 15:41

then why dont you post it here mate

i had posted wat i seems to be better lol .

**ori** · 12.05.09, 02:07

some of this code u may need to put on several pages i didnt as my site runs off my index page

this went at top index page under <?php

PHP Code:


session_name("PHPSESID");
session_start();

this went in login page

PHP Code:


$GetSession = fetch_array("sesid",sessions,"LOWER(username) = LOWER('$nick')");
if(empty($GetSession))$sesid = NewSessionID($nick,$_SERVER['HTTP_USER_AGENT'],ip(),subno(ip()));
else $sesid=$GetSession;
$_SESSION['username'] = fetch_array("username",members,"LOWER(username) = LOWER('$nick')");
$_SESSION['ses'] = $sesid;
$_SESSION['uid'] = fetch_array(id,members,"LOWER(username) = LOWER('$_SESSION[username]')");

this went in logout page

PHP Code:


delete(sessions,"LOWER(username) = LOWER('$_SESSION[username]')");
session_unset();
session_destroy();

**synergyx2009** · 12.05.09, 19:22

ok this code looks better but does it hide the session at all?

**mcKeny** · 14.05.09, 04:40

Originally posted by synergyx2009 View Post

ok this code looks better but does it hide the session at all?

yeah it hide it.............lol dont try using that code now, unless your using clause and object

Code:

<?php
 
 header('Content-type: application/xhtml+xml');

	echo "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>";

	echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">";






define( 'MC_DIR', dirname(__FILE__) . '/' );

require_once( MC_DIR. 'global.inc.php' );


require_once( MC_DIR. 'base.php' );

COMMUNITY::run_script();
?>

B)

**djlee** · 16.05.09, 18:05

Originally posted by synergyx2009 View Post

ok but wat happens if session expires after lets say 10 - 15mins. then there is nothing you can do with that hash.

unless ur gonna force exit the session of the user after 10/15 mins then your point has no validity. ok i cant leave my script running grabbing sids and use them later, but hell all i need to do is get you to go to the page with the malicious code (which is easy) grab ur sid and change my sesid and us ur account while ur still on it .. forget to logout and destroy that session then i can be on it for as long as i want

Hiding Session Id

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment