FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » How To » Session Id in URL and Cookies
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
icon5.gif  Session Id in URL and Cookies [message #15684] Wed, 31 December 2003 13:20 Go to next message
wfjmueller is currently offline  wfjmueller   Germany
Messages: 95
Registered: December 2003
Location: Darmstadt, Germany
Karma: 0
Member
I see that FUDforum uses two mechanisms in parallel to define a session: Cookies and a session-id embedded in the URL (the &SQ=... part).

Now it sometimes happens that I want to communicate a topic or posting to somebody, either by email or by embedding a kink into a WebPage. So far, I have always edited out the Session-Id part of the URL in those cases.

I wonder about several things:
  • Why are both mechanisms used in parallel, aren't they redundant ?
  • Is there a security risk by communicating a URL to a posting with the session-id included (can happen by accident..) ?
  • The notification emails contain URL of a posting with different structure. Is there a direct way to obtain these URL of a posting (so that these URLs can be used for example in external WebPages pointing to a posting).
Re: Session Id in URL and Cookies [message #15690 is a reply to message #15684] Wed, 31 December 2003 19:32 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
You can disable URL sessions, they are mostly there for people who's browsers reject or do not support cookies.

There is no risk by posting a URL with a session as part of it, the only 'problem' is that it makes the URL unnecessarily long.

The URL sent via e-mail use rview redirect that allows the topic/message to be displayed in the format based on the recepient preferences (flat or threaded).

In most cases you can simply replace the t=msg/tree with t=rview.


FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15704 is a reply to message #15690] Fri, 02 January 2004 12:49 Go to previous messageGo to next message
wfjmueller is currently offline  wfjmueller   Germany
Messages: 95
Registered: December 2003
Location: Darmstadt, Germany
Karma: 0
Member
Ilia wrote on Wed, 31 December 2003 20:32

You can disable URL sessions, they are mostly there for people who's browsers reject or do not support cookies.



Great, but how ? The login dialog under 2.5.2 had a "Use cookie" checkbox, but under 2.6.0 I don't see it anymore. Also, when I login to a 2.5.2 forum, with "Use cookie" enabled, I still get a "S=...." appended to all URL's. I checked that cookies where enabled and working, even that the cookie held the current session id string.
Re: Session Id in URL and Cookies [message #15706 is a reply to message #15690] Fri, 02 January 2004 13:02 Go to previous messageGo to next message
wfjmueller is currently offline  wfjmueller   Germany
Messages: 95
Registered: December 2003
Location: Darmstadt, Germany
Karma: 0
Member
Well, it turns out, that under 2.5.2 I always seem to get an URL with "S=###", where ### is the session ID as stored also in the cookie.

Under 2.6.0 I always get an URL with "SQ=###", where ### is also an obviously unique string, but different from the session id stored in the cookie.
Re: Session Id in URL and Cookies [message #15714 is a reply to message #15706] Fri, 02 January 2004 15:57 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
S != SQ. SQ string cannot be disabled and will always be part of the URL. Passing of the sessions via URL can be disabled via the admin control panel. Look @ the sessions section.

FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15804 is a reply to message #15714] Mon, 05 January 2004 15:50 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
While we're on this topic, I'd like an option for the reverse: to completely disable cookies. I intend to use FUD on a college campus, with no anonymous users.

The problem with cookies arises when people go to public computer rooms (labs). If they forget to completely quit their browser when walking away, the next person to use the machine automatically gets logged-in with the old person's account.

Yes, I realize that using session IDs exclusively does still let malicious users go into the browser's history to get back into the account of anyone who hasn't fully logged-out of a session that hasn't expired yet, but there's a difference here between intentional misuse (scanning the history) and default behavior (automatic login with cookies active).

One of the reasons I chose FUD in the first place was that it did not require cookies, so if I could turn them off completely, I think it would go a long way toward solving a big problem.
Re: Session Id in URL and Cookies [message #15806 is a reply to message #15804] Mon, 05 January 2004 15:56 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
In 2.6.0 you can make cookies expire just as quickly as URL sessions by enabling "Use Session Cookies".

FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15810 is a reply to message #15806] Mon, 05 January 2004 16:26 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Yes, but that still doesn't solve the problem. If I use the forum and walk away without logging-out, the next person to use the machine will be automatically logged-in as me, as long as they do so before the expiration time.

The problem here isn't so much one of security; it's always the individual's fault for not logging-out correctly. The problem is the automatic login that happens when a careless user leaves things this way. I can foresee cases where the second user starts posting things to the forum without even realizing they are logged-in as someone else.

By the way, you might want to note in the admin CP screen that the cookie timeout setting is meaningless if session cookies are being used.
Re: Session Id in URL and Cookies [message #15819 is a reply to message #15810] Mon, 05 January 2004 18:33 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
That's true, however the same is true for URL sessions to a smaller extent. If you leave the computer on a forum page and within a few minutes another user uses that terminal they'll be able to use the forum as the user who didn't logout.

FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15825 is a reply to message #15819] Tue, 06 January 2004 01:04 Go to previous messageGo to next message
mocara is currently offline  mocara   United Kingdom
Messages: 157
Registered: January 2004
Karma: 0
Senior Member
Can I suggest reading Ilia's article in the latest issue of PHP magazine? Wink

Surely the timeout can be kept as low as a person is reasonably likely to read the forum without clicking on a link? 2 minutes? This way a person would have to be mighty quick at jumping in when a user leaves. Picking up a bag and coat and moving away could well be two minutes after the last click.

It's all really about balances.

Regards.
Re: Session Id in URL and Cookies [message #15826 is a reply to message #15825] Tue, 06 January 2004 01:09 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The real solution here is user awareness. Users should always remember to logout and if they can't be bothered to do so, at least when they login, leave the "use cookies" checkbox unchecked.

FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15845 is a reply to message #15825] Tue, 06 January 2004 15:02 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Ilia wrote on Mon, 05 January 2004 13:33

That's true, however the same is true for URL sessions to a smaller extent. If you leave the computer on a forum page and within a few minutes another user uses that terminal they'll be able to use the forum as the user who didn't logout.

Yes, I realize that. However, as I said, the difference is that in order to become the previous user when only URL-based IDs are used, I have to intentionally go back in the browser's history.

But when cookies are used, as soon as I hit the forum's homepage, I become the previous user.

That's an important distinction, IMHO.

mocara wrote on Mon, 05 January 2004 20:04

Surely the timeout can be kept as low as a person is reasonably likely to read the forum without clicking on a link? 2 minutes?

This doesn't work, because people often take more than 2 minutes to write a reply (like this one). I can recall using another board with this timeout set too low, and being frustrated when I hit the submit button, only to be told my session had timed out.
Re: Session Id in URL and Cookies [message #15847 is a reply to message #15826] Tue, 06 January 2004 15:19 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Ilia wrote on Mon, 05 January 2004 20:09

The real solution here is user awareness. Users should always remember to logout and if they can't be bothered to do so, at least when they login, leave the "use cookies" checkbox unchecked.

Just what does this checkbox do? I removed it from the quicklogin form in my version of the template, and FUD still sets the cookie, and still automatically logs me in when I return to the home page. (I made sure to delete the old cookie before doing this test.)
Re: Session Id in URL and Cookies [message #15850 is a reply to message #15845] Tue, 06 January 2004 16:23 Go to previous messageGo to next message
mocara is currently offline  mocara   United Kingdom
Messages: 157
Registered: January 2004
Karma: 0
Senior Member
Gribnif wrote on Tue, 06 January 2004 10:02

I can recall using another board with this timeout set too low, and being frustrated when I hit the submit button, only to be told my session had timed out.


Good point, I must remember this on my board. Smile
Re: Session Id in URL and Cookies [message #15856 is a reply to message #15847] Wed, 07 January 2004 03:11 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Gribnif wrote on Tue, 06 January 2004 10:19

Ilia wrote on Mon, 05 January 2004 20:09

The real solution here is user awareness. Users should always remember to logout and if they can't be bothered to do so, at least when they login, leave the "use cookies" checkbox unchecked.

Just what does this checkbox do? I removed it from the quicklogin form in my version of the template, and FUD still sets the cookie, and still automatically logs me in when I return to the home page. (I made sure to delete the old cookie before doing this test.)


If you removed the checkbox and you allow URL sessions that should prevent usage of cookies for session tracking.


FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15864 is a reply to message #15856] Wed, 07 January 2004 15:58 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Ilia wrote on Tue, 06 January 2004 22:11

If you removed the checkbox and you allow URL sessions that should prevent usage of cookies for session tracking.

That's my point, it doesn't. I have URL sessions turned on, and the Cookies checkbox is removed, but FUD still sets the cookie, and still does the automatic login. I think there is something wrong in the code, somewhere.
Re: Session Id in URL and Cookies [message #15891 is a reply to message #15864] Thu, 08 January 2004 17:59 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The cookie is 'set', but is not used. As soon as the browser is closed that cookie will be removed. Since if cookies are disabled the cookie date will be set in the past, meaning it'll expire instantly on browser closure.

FUDforum Core Developer
Re: Session Id in URL and Cookies [message #15896 is a reply to message #15891] Thu, 08 January 2004 19:10 Go to previous messageGo to next message
Gribnif is currently offline  Gribnif   United States
Messages: 82
Registered: December 2003
Karma: 0
Member
Once again, I'm trying to minimize the effects of users who leave their browser open in a lab setting. The way it is right now, even if they don't check "use cookies", and they walk away from the computer without logging-off or closing the browser, the next person to use the forum gets automatically logged-in as the previous user.

In my opinion, this option should do what it says: not set a cookie at all. It's fine with me if you want to remove any existing cookie, but when this option is is checked, there should be no new session cookie sent to the browser whatsoever. There needs to be some way to completely prevent the possibility of an automatic login.
Re: Session Id in URL and Cookies [message #15897 is a reply to message #15896] Thu, 08 January 2004 19:14 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The cookie is set BEFORE the user even logs in. And it cannot be destroyed until the browser closes. I cannot destroy it not because I don't want to, but because there is no way for me to do it.

The cookie's contents are empty, so it's presense is not an issue.


FUDforum Core Developer
Re: Session Id in URL and Cookies [message #17314 is a reply to message #15714] Wed, 24 March 2004 15:36 Go to previous messageGo to next message
spyder is currently offline  spyder   Germany
Messages: 5
Registered: March 2004
Karma: 0
Junior Member
Quote:

SQ string cannot be disabled and will always be part of the URL. Passing of the sessions via URL can be disabled via the admin control panel. Look @ the sessions section.


It looks to me as if the SQ string doesn't serve an obvious purpose. I tested several of the URLs without it, still everything fine. To please users and search engines (I use PATH_INFO style URLs) I would like to get rid of the SQ string.

Can this be done? And if yes, how can I do it?

Finally I'm going to get rid of index.php by means of mod-rewrite throught .htaccess, so I'm ending up with a URL like

http://my.domain/forum/f/1/2/

Any objections?

Thank you in advance

[Updated on: Wed, 24 March 2004 15:38]

Report message to a moderator

Re: Session Id in URL and Cookies [message #17319 is a reply to message #17314] Thu, 25 March 2004 16:01 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
SQ is a very important internal mechanism that performs session security. Removing will create problems.

FUDforum Core Developer
Re: Session Id in URL and Cookies [message #17330 is a reply to message #15684] Fri, 26 March 2004 03:09 Go to previous messageGo to next message
spyder is currently offline  spyder   Germany
Messages: 5
Registered: March 2004
Karma: 0
Junior Member
Quote:

SQ is a very important internal mechanism that performs session security. Removing will create problems.


What kind of problems? And how can I overcome them?

Nice URLs is one of the most importent features for me. I'm willing to tweak a great deal to remove everything that looks like a session. If I cannot solve this point, the software will probably render useless to me, because it will turn away search engines like google.

Why can't the session information be transported through cookies? My users are used to the fact, that logging into my forum is possible only with javascript and cookies allowed. I could cut off the SQ value from every link on a page after rendering its html and store it as a cookie, and I might read it from the cookies and instill it into the URL by means of mod_rewrite.

I'm just curious what I have to care for?

Is the SQ value changing throughout a session, and if so, when will this happen?

[Updated on: Fri, 26 March 2004 03:12]

Report message to a moderator

Re: Session Id in URL and Cookies [message #17348 is a reply to message #17330] Fri, 26 March 2004 19:39 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
It happens on every post request and every 5 minutes without post request. SQ is a security mechanism that ensures that the session was not compromised.
@ Ilia [message #17386 is a reply to message #15684] Sun, 28 March 2004 01:23 Go to previous messageGo to next message
spyder is currently offline  spyder   Germany
Messages: 5
Registered: March 2004
Karma: 0
Junior Member
I understand, that SQ is important for session security. But unfortunately it also compromises my search engine ranking. What kind of session compromise could happen without SQ? I have not seen any other forum software yet with this kind of double security.

If the SQ is the same on every link on a given page, then it could also be passed to the browser as a cookie. Furthermore, the browser would give it back to the server with the next request. I'm willing to write this patch myself, I just would like to know, whether there is any gross misunderstanding on my side.

Thank you for your time and...

btw: this piece of software seems to rock.

[Updated on: Sun, 28 March 2004 01:23]

Report message to a moderator

Re: @ Ilia [message #17388 is a reply to message #17386] Mon, 29 March 2004 00:27 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The type of security SQ provides is CRITICAL to ensure session security. I won't go into the actual details of the problem, because the description of the problem would pretty much explain how to penetrate majority of the software running on the web.
Re: @ Ilia [message #17523 is a reply to message #17388] Thu, 01 April 2004 22:38 Go to previous messageGo to next message
Wild_Cat is currently offline  Wild_Cat   Ukraine
Messages: 144
Registered: November 2002
Location: Odessa, Ukraine
Karma: 0
Senior Member
The Question is: majority of all software of this kind or just your software? Because if it's only yours, is it not more normal to eliminate the original problem?

I also plan to strip this thing, although I already understood that search engines are always anonymous users so they don't get the SQ string, but registered users won't be able to give normal urls/ I do plan to give the link to the message as we discussed before through rview and still not everbody studies all existing buttons in a forum. The URL does look ugly. Is this permanent decision or is it possible that one day another resolution will be made and the SQ could be replaced by something else?


Lady of Avalon
Re: @ Ilia [message #17524 is a reply to message #17523] Thu, 01 April 2004 22:43 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
No it's majority of software in general. Virtually every major PHP package I am familiar with has this vulnerability.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Actions List.
Next Topic: editing FAQs via the web interface
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 22:25:33 GMT 2024

Total time taken to generate the page: 0.04519 seconds