[TYPO3-dev] Severe error caused by "solution" of session fixation bug
Christopher Lörken
christopher at loerken.net
Fri Feb 6 16:47:08 CET 2009
Although you have agreed to what I've written, I'd like to continue the
discussion about the session id safety that you have mentioned in the
"session fixation" thread.
So please let me answer to that post here since this is the actual place
where it belongs:
Marcus Krause schrieb:
> Christopher Lörken schrieb:
>
>> This is indeed a behavior I do not get when visiting typo3.org or
>> typo3.net which both seem to use older Typo3 versions since they still
>> have the fe_typo_user id that is limited to 10 characters. A security
>> flaw, which has indeed resulted in involuntary session hijacking before.
>> Compare this post of Dmitry:
>>
http://lists.netfielders.de/pipermail/typo3-team-core/2008-September/019185.html
>
> I'm not aware of any highjacking of sessions due to 10 char limitation.
Now that puzzles me a bit since Dmitry wrote in that very post I referenced:
"I have this problem on a real site. It is very rare, so not a real
security issue. But it exists and I want to get rid of it. Users do not
really like to see when they are logged in as someone else."
>
>
>> We have roughly 5000 unique IPs hitting the site each day and close to
>> 2000 unique users that log in within 24 hours. Every user seems to store
>> multiple entries in fe_sessions, the chance to hit one by random seems
>> at least given to me...
>
> SIDs change only if a user isn't logged in. Of course there's a
> possibility that two users get the same SID. But this is more
> theoretically - like winning a lottery and immediately get hit by a
> thunderbolt. And then a SID might be limited to a full IP or parts of
> the IP.
Due to the bug our site ran a few days like if IPlock was set to 0.
Since that is a valid setting in the configuration it is a setup for
that we can assume that some sites run it.
I have roughly stated our user load and I do not think that we run the
most visited Typo3 site out there. The fact that it happened a reported
20 times since January 30th (a mere week ago) and an accordingly higher
amount of times where the users did not care to report it does look like
quite a lot of lottery winners that get struck by a lightning bolt to me.
If you have 200 thousand page views in a week and lots of users with
valid sessions in fe_sessions this _does happen_!
For me, the question is not if it happens but how to avoid it so that I
can be sure that it does not happen again.
Even for an IP lock of 4 you can think of setups where huge amounts of
users access your site through a proxy... The session id has to be more
unique than it is now.
But I'm certainly neither an expert on this topic nor really involved in
Typo3 core development so please forgive me if my comments seem
inappropriate or unrealistice here.
Regards,
Christopher
More information about the TYPO3-dev
mailing list