Bitcoin Forum
March 29, 2024, 01:25:43 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: PHPSESSID showing in URL field  (Read 3228 times)
riX (OP)
Sr. Member
****
Offline Offline

Activity: 326
Merit: 252



View Profile
June 08, 2012, 07:42:36 PM
 #1

Using firefox:
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899

Feels like a potential security risk to me, might be hard to exploit but anyway...

Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.

Sorry, I can't help you with your lost password.

PGP key: 0x9F31802C79642F25
1711718743
Hero Member
*
Offline Offline

Posts: 1711718743

View Profile Personal Message (Offline)

Ignore
1711718743
Reply with quote  #2

1711718743
Report to moderator
1711718743
Hero Member
*
Offline Offline

Posts: 1711718743

View Profile Personal Message (Offline)

Ignore
1711718743
Reply with quote  #2

1711718743
Report to moderator
Bitcoin addresses contain a checksum, so it is very unlikely that mistyping an address will cause you to lose money.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711718743
Hero Member
*
Offline Offline

Posts: 1711718743

View Profile Personal Message (Offline)

Ignore
1711718743
Reply with quote  #2

1711718743
Report to moderator
1711718743
Hero Member
*
Offline Offline

Posts: 1711718743

View Profile Personal Message (Offline)

Ignore
1711718743
Reply with quote  #2

1711718743
Report to moderator
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1007


1davout


View Profile WWW
June 08, 2012, 08:32:33 PM
 #2

That's hardly a security issue since it gets transmitted with HTTPS.

i_rape_bitcoins
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
June 08, 2012, 09:22:21 PM
 #3

Using firefox:
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899

Feels like a potential security risk to me, might be hard to exploit but anyway...

Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.

Hi, this is not an security issue. The easiest way to replicate this is to disable cookies, which then the forum software tries to have your session id stored through a query string to maintain a stateful browsing experience.

If you have cookies enabled, the session id will be stored in the header "Cookie" which gets passed every request you make. From a security standpoint, this makes no difference as the session id is passed either way, whether you do or do not have cookies enabled.

Plus, your connection to the forum is encrypted, improbable for a man in the middle attack to steal your session id and login as you.

~I_RAPE_BITCOINS~
riX (OP)
Sr. Member
****
Offline Offline

Activity: 326
Merit: 252



View Profile
June 10, 2012, 09:36:34 AM
 #4

Yes, I wasn't thinking about mitm-attacks, more like that it's visible on the screen, and also that people might be posting links including their session id. Example: https://bitcointalk.org/index.php?topic=52367.msg703356#msg703356
Also, might it not get transferred in the referrer?

I'm getting this with cookies enabled..

Sorry, I can't help you with your lost password.

PGP key: 0x9F31802C79642F25
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5152
Merit: 12580


View Profile
June 10, 2012, 05:59:57 PM
 #5

Also, might it not get transferred in the referrer?

Most browsers don't send referrers for HTTPS sites.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
riX (OP)
Sr. Member
****
Offline Offline

Activity: 326
Merit: 252



View Profile
June 10, 2012, 06:29:45 PM
 #6

Ok then, I'm just paranoid Tongue

Sorry, I can't help you with your lost password.

PGP key: 0x9F31802C79642F25
check_status
Full Member
***
Offline Offline

Activity: 196
Merit: 100


Web Dev, Db Admin, Computer Technician


View Profile
June 11, 2012, 05:42:17 AM
 #7

There is another way to see PHPSESSID without working so hard.

Go here:
https://50.97.137.52
Accept security exceptions.
Enjoy.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!