Wednesday, September 23, 2009

Session Denial: session id contains illegal characters

This morning I woke up, went over to StackOverflow (Yes I admit lately I've been quite active answering questions on SO) and I saw this question: Session hijacking or attack?

The asker, Toto, saw these in his error logs:
[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/my_files/class.session.php on line 67 
[22-Sep-2009 21:13:52] PHP Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
[22-Sep-2009 21:13:52] PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0


The first thing I thought before answering question was that obviously the user had tampered with the PHP session cookie (The cookie name is "PHPSESSID" by default).

So what we can do to prevent these errors is to simply reset the ID whenever the session fails to start:

<?php

$ok = @session_start();
if(!$ok){
session_regenerate_id(true); // replace the Session ID
session_start(); // restart the session (since previous start failed)
}

?>

Note that users tampering/changing the PHPSESSID to generate this error does not affect your server or read/write files on your server. It may be an attempt to generate great amount of log entries into your error logging file and so on. Thus with this solution, you can prevent such things from happening, yet allowing smooth load for normal users.

this piece of security protection has been added to Samstyle PHP Framework (after v1.2.11).

2 comments:

Rafael said...

Thank you, this helped solve a problem I was rather flabbergasted by!

thephpdeveloper said...

Hi Rafael

Awesome! No problem at all.

Cheers
Sam