Bitcoin Forum
December 06, 2016, 04:15:41 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: PHPSESSID showing in URL field  (Read 3033 times)
riX
Sr. Member
****
Offline Offline

Activity: 327



View Profile
June 08, 2012, 07:42:36 PM
 #1

Using firefox:
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899

Feels like a potential security risk to me, might be hard to exploit but anyway...

Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.

1481040941
Hero Member
*
Offline Offline

Posts: 1481040941

View Profile Personal Message (Offline)

Ignore
1481040941
Reply with quote  #2

1481040941
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
June 08, 2012, 08:32:33 PM
 #2

That's hardly a security issue since it gets transmitted with HTTPS.

i_rape_bitcoins
Member
**
Offline Offline

Activity: 70



View Profile
June 08, 2012, 09:22:21 PM
 #3

Using firefox:
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899

Feels like a potential security risk to me, might be hard to exploit but anyway...

Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.

Hi, this is not an security issue. The easiest way to replicate this is to disable cookies, which then the forum software tries to have your session id stored through a query string to maintain a stateful browsing experience.

If you have cookies enabled, the session id will be stored in the header "Cookie" which gets passed every request you make. From a security standpoint, this makes no difference as the session id is passed either way, whether you do or do not have cookies enabled.

Plus, your connection to the forum is encrypted, improbable for a man in the middle attack to steal your session id and login as you.

~I_RAPE_BITCOINS~
riX
Sr. Member
****
Offline Offline

Activity: 327



View Profile
June 10, 2012, 09:36:34 AM
 #4

Yes, I wasn't thinking about mitm-attacks, more like that it's visible on the screen, and also that people might be posting links including their session id. Example: https://bitcointalk.org/index.php?topic=52367.msg703356#msg703356
Also, might it not get transferred in the referrer?

I'm getting this with cookies enabled..

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
June 10, 2012, 05:59:57 PM
 #5

Also, might it not get transferred in the referrer?

Most browsers don't send referrers for HTTPS sites.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
riX
Sr. Member
****
Offline Offline

Activity: 327



View Profile
June 10, 2012, 06:29:45 PM
 #6

Ok then, I'm just paranoid Tongue

check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 11, 2012, 05:42:17 AM
 #7

There is another way to see PHPSESSID without working so hard.

Go here:
https://50.97.137.52
Accept security exceptions.
Enjoy.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!