Support the Arctic Sea Ice Forum and Blog

Author Topic: PHPSESSID  (Read 477 times)

ivica

  • Nilas ice
  • Posts: 1044
  • Kelele
    • View Profile
  • Liked: 56
  • Likes Given: 0
PHPSESSID
« on: August 31, 2020, 06:32:29 PM »

oren

  • First-year ice
  • Posts: 6292
    • View Profile
  • Liked: 2311
  • Likes Given: 1945
Re: PHPSESSID
« Reply #1 on: August 31, 2020, 08:06:52 PM »
I don't. Not EU though.
Maybe try different browsers?

kassy

  • Nilas ice
  • Posts: 2457
    • View Profile
  • Liked: 1174
  • Likes Given: 1020
Re: PHPSESSID
« Reply #2 on: August 31, 2020, 08:17:44 PM »
Not either (EU). Might be a forum hiccup?
Þetta minnismerki er til vitnis um að við vitum hvað er að gerast og hvað þarf að gera. Aðeins þú veist hvort við gerðum eitthvað.

ivica

  • Nilas ice
  • Posts: 1044
  • Kelele
    • View Profile
  • Liked: 56
  • Likes Given: 0
Re: PHPSESSID
« Reply #3 on: August 31, 2020, 08:24:14 PM »
Thanks for the feedback info, folks.

I do not see it browser dependent, but maybe IP address dependent because using Tor and playing with "Tor circuit" that can be avoided sometimes.

more info:

see also "Topic: Forum authentication broken"
https://forum.arctic-sea-ice.net/index.php/topic,2767.msg207703.html#msg207703

Noticed it first a few months ago, feature goes on and off, persistent for a few hours, like something being under test..

Steven

  • Grease ice
  • Posts: 633
    • View Profile
  • Liked: 198
  • Likes Given: 17
Re: PHPSESSID
« Reply #4 on: August 31, 2020, 08:58:40 PM »
Do you see PHPSESSID section in ASIF links?

It's probably because you disabled cookies.  If I disable third-party cookies in Chrome, then I also get the phpsessid query parameter.  It disappears when I enable cookies.

https://stackoverflow.com/a/1370974

ivica

  • Nilas ice
  • Posts: 1044
  • Kelele
    • View Profile
  • Liked: 56
  • Likes Given: 0
Re: PHPSESSID
« Reply #5 on: August 31, 2020, 09:14:47 PM »
Steven, cookies are not blocked in Edge browser but the issue remains.

#paths/tor_circuits for Tor browser which are issue free seems to decreases over time (a few months).

ivica

  • Nilas ice
  • Posts: 1044
  • Kelele
    • View Profile
  • Liked: 56
  • Likes Given: 0
Re: PHPSESSID
« Reply #6 on: September 01, 2020, 12:38:17 AM »
Thank you all! Since no one else confirms it, it must be an issue with the PC in use here.

Anyway, let me report current situation:
behaviour of it is not consistent, a way to recreate the issue is:
   open browser,
   open Forum page,    (issue present)
   refresh the page.   (no issue)

Forum pages used:
ASIF:   https://forum.arctic-sea-ice.net/
SMCF:    https://www.simplemachines.org/community/index.php
SPF:    http://www.sciphysicsforums.com/spfbb1/

ASIF appears more vulnerable to the issue then the other 2 forums under test, overall - the issue shows up more often on Tor browser then on Edge browser.

The issue examples (ASIF uses "PHPSESSID", SMCF uses "P", SPF uses "sid"):
Recent Posts: https://forum.arctic-sea-ice.net/index.php?PHPSESSID=cfa14b8979522d8480791646cc6e6d80&action=recent
Recent Posts: https://www.simplemachines.org/community/index.php?P=833d8decb1dfe48cde059af6556931a7&action=recent
SPF example : http://www.sciphysicsforums.com/spfbb1/viewforum.php?f=6&sid=5e2c9f2e5cf2c639920049a9884b322d

nanning

  • Nilas ice
  • Posts: 2374
  • 0Kg CO₂, 37 KWh/wk,125L H₂O/wk, No offspring
    • View Profile
  • Liked: 294
  • Likes Given: 20088
Re: PHPSESSID
« Reply #7 on: September 01, 2020, 07:36:33 AM »
From: https://en.wikipedia.org/wiki/Session_ID

As session IDs are often used to identify a user that has logged into a website, they can be used by an attacker to hijack the session and obtain potential privileges. A session ID is usually a randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search. Many servers perform additional verification of the client, in case the attacker has obtained the session ID. Locking a session ID to the client's IP address is a simple and effective measure as long as the attacker cannot connect to the server from the same address, but can conversely cause problems for a client if the client has multiple routes to the server (e.g. redundant internet connections) and the client's IP address undergoes Network Address Translation.

Examples of the names that some programming languages use when naming their cookie include JSESSIONID (Java EE), PHPSESSID (PHP), and ASPSESSIONID (Microsoft ASP).
"It is preoccupation with possessions, more than anything else, that prevents us from living freely and nobly" - Bertrand Russell
"It is preoccupation with what other people from your groups think of you, that prevents you from living freely and nobly" - Nanning
Why do you keep accumulating stuff?

ivica

  • Nilas ice
  • Posts: 1044
  • Kelele
    • View Profile
  • Liked: 56
  • Likes Given: 0
Re: PHPSESSID
« Reply #8 on: September 01, 2020, 09:20:13 AM »
nanning, to increase fun from it ;) a malicious activity has been considered but have no observation to support it, yet.
Disabling cookies as per Steven's suggestion makes the issue persistent.

nanning

  • Nilas ice
  • Posts: 2374
  • 0Kg CO₂, 37 KWh/wk,125L H₂O/wk, No offspring
    • View Profile
  • Liked: 294
  • Likes Given: 20088
Re: PHPSESSID
« Reply #9 on: September 01, 2020, 10:37:37 AM »
I don't think it was malicious activity ivica.
But someone else who has your active PHPSESSID and the domain, may be able to get into your session (being you) while it is still active if there are no other safeguards. I am no expert in this. My programming days were more than a decade ago.

The wiki info explains a bit what the meaning is of the Session_id (PHPSESSID in PHP script).
Nice that you have solved it with Steven's advice.

FYI
I have all cookies on but they are all deleted when I close my browser (firefox on gnu/linux gnome2).
It is the safest way imo. The drawback is having to login with your credentials everytime you start the browser, and clicking away all the cookie warnings. It is tedious but becomes routine quickly. I have the login passwords encrypted in .7z files so I don't have to remember the password, just a much easier one because there is no way to get to that password file via Internet in normal circumstances. My computer needs to be broken in to for that to happen.
"It is preoccupation with possessions, more than anything else, that prevents us from living freely and nobly" - Bertrand Russell
"It is preoccupation with what other people from your groups think of you, that prevents you from living freely and nobly" - Nanning
Why do you keep accumulating stuff?

ivica

  • Nilas ice
  • Posts: 1044
  • Kelele
    • View Profile
  • Liked: 56
  • Likes Given: 0
Re: PHPSESSID
« Reply #10 on: September 01, 2020, 11:10:30 AM »
Thanks for the heads-up,
the issue is declared as a minor one for now. Planned activities will stress this PC system much more soon so time will tell. My case closed.
Thank you all!