PHP session handler ignores session.use_strict_mode
overview of the problem
session.use_strict_mode prevents the user agent from setting its own key value for its session. However, when using the Redis session handler this setting is currently being ignored. Unfortunately this prevents a PHP application using the Redis session handler from protecting against session fixation attacks.
steps to reproduce
- add these settings to your php.ini:
; assumes you have the php-redis extension installed
session.save_handler = redis
; assumes you have a redis daemon running on localhost
session.save_path = "tcp://localhost:6379"
session.use_strict_mode = 1
- create and serve this simple script (the built-in PHP server will do)
<?php session_start(); if (!isset($_SESSION['visits'])) { $_SESSION['visits'] = 0; } $_SESSION['visits']++; // this helps to confirm that the session.use_strict_mode setting is turned On phpinfo(); echo "You have visited us {$_SESSION['visits']} times\n";
- poke the server with curl o a similar utility. Here I use HTTPie:
1ma@werkbox:~$ http -v 127.0.0.1 Cookie:PHPSESSID=madeupkey GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=madeupkey Host: 127.0.0.1 User-Agent: HTTPie/0.9.6 HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Connection: close Content-type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Host: 127.0.0.1 Pragma: no-cache <!-- phpinfo(); output snipped out --> You have visited us 1 times
- Confirm that the client-defined key has been created:
1ma@werkbox:~$ redis-cli 127.0.0.1:6379> keys * 1) "PHPREDIS_SESSION:madeupkey"
This has been tested against PHP 7.0.13, redis-server 3.2.5 and php-redis 3.0.0