Keeping sessions unique when someone links with SESSID?

[Admin]

A little history: I have a site that I just setup. We have been getting several hundred orders a day and many of them are corrupt (IE. missing items or having extra items). I have looked over the checkout scripts 20 times and can't find any problems. I can not reproduce the problems on my end and my client can not reproduce the problem on her end.

Yesterday I was looking at our referrers and noticed that our largest referrer was linking to the site with a session id appeneded to the end of the URL! I went ahead and followed that link using Firefox and then opened up another session on my laptop (following the same link). Both systems were using the same session; adding & removing items from each other. This appears to be the cause of all my frusteration.

Now, my question is. How do I ensure that only 1 user has a session open at a time? I don't want to query the database on every page as this site will be generating massive traffic in the next couple of months. Keeping everything as light weight is ideal....

[sde]

i don't get it, .. why do you even use the session id in the url? session_id() returns the current session id. take this code for example, it will only start a session if a session_id does not exist:

PHP Code:

<?
if( !session_id() ){
  session_start();
}
?>

it seems like if you just went by session_id() instead of the url session id, it would be fine. am i missing something?

[sde]

so thinking upon this a little more, .. if the rest of your shopping cart depends on that get variable, .. then just set it with session_id() at the top of the page:

PHP Code:

<?
if( !session_id() ){
  session_start();
}
$_GET['sessid']=session_id();
?>

then you wouldn't have to modify any of the other code?

[technobard]

Quote:

Originally Posted by sde

i don't get it, .. why do you even use the session id in the url? session_id() returns the current session id. take this code for example, it will only start a session if a session_id does not exist:

PHP Code:

<?
if( !session_id() ){
  session_start();
}
?>

it seems like if you just went by session_id() instead of the url session id, it would be fine. am i missing something?

One "maybe" correction: I thought you had to call session_start() first. Even if a session has already been started on a prior page. My understanding (and that's very limited on this area of PHP) is that a cookie is used to store PHPSESSIONID on the client or is that optional?

Anyway, I came across this PHP Security article recently:
PHP Session Security
Ways to prevent session hijacking (intentional or accidental) is covered.

[Admin]

Turn cookies off and then browse a PHP site using sessions. It will automaticly put the session id in the URL. Then if you send that link to your friend they will have the same session as you. Fun.

[Admin]

Techno, thanks for that link. I will read up for sure.

[technobard]

Quote:

Originally Posted by Admin

Turn cookies off and then browse a PHP site using sessions. It will automaticly put the session id in the URL. Then if you send that link to your friend they will have the same session as you. Fun.

Ouch! That sucks. Just another idea gleamed from concepts in that article: you could use HTTP_REFERER. If the domain from HTTP_REFERER is within your website, you know it was the same session, just a different page. If the domain is outside of your website, you know it was probably a session id that was part of the URL. Just in case, you can prompt for the userid and password (assuming there is one). If that fails, you can generate a new session id. People leaving the site and coming back without cookies enabled could lose their session info if the site does not require a login to add items to a shopping cart. Other than that, it might even work.

[sde]

i think that sounds like a winnAr!

[sde]

oh, and http://codenewbie.com/test.php is an example of that code i posted above, .. except it is echoing the session id afterwards.

i have read about session_start() being at the top of every page too, but maybe that is just to assure that if someone enters from a different page, their session is started.

[Admin]

REFERRER! that is why i love this forum. i am going to add a check in for that and i _should_ be all set. thanks man.

[technobard]

Hey, Admin. You've probably coded the solution already, but I just had to post this followup. If you have access to php.ini, you can set the following:

session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string.

Cool, huh? I was looking for something else and came across this . (story of my life) Anyway, on the off chance you haven't written any code to check things yet, this might be a more centralized solution with no coding required. The only thing that bothers me is the wording: "if the Referer was sent by the client". This seems strange. If you cut and paste or type the URL, HTTP_REFERER is null. The same thing if you link to it in an email. I don't know if that's covered by this. A test is the only way to be sure. Either way, be sure and post the solution.

[idx]

Turn off trans_sid in your php.ini so your site requires the use of cookies.. I don't always like to do this, but I don't think it's out of the question..

This might be mentioned in the session security link that technobard posted, but you may want to save a unique key in the session that is made up with the user's user agent/etc... Maybe even run that string through md5() and compare that on each page.

eg:

PHP Code:

  $str = md5($_SERVER['HTTP_USER_AGENT'] + md5("foo string goes here"));
  $_SESSION['MAGIC_STRING'] = $str; 


.. then check that var each time to ensure it's the same..

-r

[Admin]

I am just checking the referrer to ensure that it is from the original domain. Here is the session stuff....

PHP Code:

<?
// stop search engines from getting session
$searchengines=array("MSNBot", "Google", "Fast", "Slurp", "W3C_Validator");
$is_search_engine=0;
foreach($searchengines as $key => $val) 
{
  if(stristr("$HTTP_USER_AGENT", $val)) 
  {
    $is_search_engine++;
  }
} 

// if not an engine do session stuff
if($is_search_engine==0 && stristr($_SERVER[HTTP_REFERER], "wristbands4awareness")) 
{
  session_start();

  if (!$_SESSION["rand_uid"])
  {
    $_SESSION["rand_uid"]=rand(1,99999999999999999);
  }
}

Example:
http://www.wristbands4awareness.com/...319eacd7d7ac9f

Hit that page and then view source. At the very bottom there is some info about referrer & your rand_uid value. There shouldn't be a value for the rand_uid since the referrer is codenewbie. Hit a link on the site and then you _should_ have a uid value at the bottom...

Yea?

[ender]

I'm curious as to what happens in this case where someone and their friend are browsing the site and the friend finds something cool. He then sends the link to the original surfer. According to your method, he will have a referrer of the site as well, but still hijack his friend's cart. I could be wrong though. I probably am.

-Ted

[technobard]

Ender, any link sent to the original surfer (or others) that is either a) clicked on in an email or b) cut and pasted into the browser will have a null HTTP_REFERER. To have a non-null value, the link has to be part of a hosted webpage. You can test this by copying Admin's example link and pasting it into your browser. If you view source for the page, the referrer is null. It's easier to see the difference if you just click on the link and view source first. Look for codenewbie.com at the bottom. Then try the same thing by copying and pasting the URL. This should prevent session hijacking in the way you described.