|
Title: PHPSESSID showing in URL field Post by: riX on June 08, 2012, 07:42:36 PM Using firefox:
go to PM inbox (tab1) open new tab with bitcointalk (tab2) logout in tab 2 go to tab 1, refresh page you'll see warning+password prompt in tab 1 login again in tab 2 go back to tab 1, clock "home" link watch url field, it will include PHPSESSID=aabbccddee112233445566778899 Feels like a potential security risk to me, might be hard to exploit but anyway... Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem. Title: Re: PHPSESSID showing in URL field Post by: davout on June 08, 2012, 08:32:33 PM That's hardly a security issue since it gets transmitted with HTTPS.
Title: Re: PHPSESSID showing in URL field Post by: i_rape_bitcoins on June 08, 2012, 09:22:21 PM Using firefox: go to PM inbox (tab1) open new tab with bitcointalk (tab2) logout in tab 2 go to tab 1, refresh page you'll see warning+password prompt in tab 1 login again in tab 2 go back to tab 1, clock "home" link watch url field, it will include PHPSESSID=aabbccddee112233445566778899 Feels like a potential security risk to me, might be hard to exploit but anyway... Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem. Hi, this is not an security issue. The easiest way to replicate this is to disable cookies, which then the forum software tries to have your session id stored through a query string to maintain a stateful browsing experience. If you have cookies enabled, the session id will be stored in the header "Cookie" which gets passed every request you make. From a security standpoint, this makes no difference as the session id is passed either way, whether you do or do not have cookies enabled. Plus, your connection to the forum is encrypted, improbable for a man in the middle attack to steal your session id and login as you. Title: Re: PHPSESSID showing in URL field Post by: riX on June 10, 2012, 09:36:34 AM Yes, I wasn't thinking about mitm-attacks, more like that it's visible on the screen, and also that people might be posting links including their session id. Example: https://bitcointalk.org/index.php?topic=52367.msg703356#msg703356
Also, might it not get transferred in the referrer? I'm getting this with cookies enabled.. Title: Re: PHPSESSID showing in URL field Post by: theymos on June 10, 2012, 05:59:57 PM Also, might it not get transferred in the referrer? Most browsers don't send referrers for HTTPS sites. Title: Re: PHPSESSID showing in URL field Post by: riX on June 10, 2012, 06:29:45 PM Ok then, I'm just paranoid :P
Title: Re: PHPSESSID showing in URL field Post by: check_status on June 11, 2012, 05:42:17 AM There is another way to see PHPSESSID without working so hard.
Go here: https://50.97.137.52 Accept security exceptions. Enjoy. |