Lately I have seen this in my error log (1 per day, and I have 40k visitors per day):
[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/my_files/class.session.php on line 67
[22-Sep-2009 21:13:52] PHP Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
[22-Sep-2009 21:13:52] PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0
This is not a config issue because it is working for everybody.
I already modified php.ini to have this:
session.use_only_cookies = 1
session.use_trans_sid = 0
I suspect a session hijacking or a kind of attack I am not aware of (I am parano ;) ).
Do you have any idea what it could be? What can I do to improve the security and avoid this?
The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguise itself as one of the authenticated users.
There are two types of session hijacking depending on how they are done. If the attacker directly gets involved with the target, it is called active hijacking, and if an attacker just passively monitors the traffic, it is passive hijacking.
Session hijackers typically target cross-site scripting vulnerabilities when orchestrating a session takeover. While doing so, hackers inject client-side scripts that capture session tokens.
Generally, web application session hijacking involves the criminal stealing the target's session ID or their session cookie by sending out phishing emails/links to the victim. Once the victim logs in using this link, the criminal is in and will be able to read or change the information transmitted.
What is probably done here is that this client has changed the PHPSESSID cookie's content. Normally the SessionID is something like "62bf75fb02922cf9c83fb3521255b4ab" (hexadecimal)
However, the user might have modified the cookie using some tools. This causes no harm to your website and server because this modification is done client side and by doing so it does not affect the server (except generating those errors). What you can do is that when you receive such error, you change the session ID and replace the one that is on the client.
See solution:
$ok = @session_start();
if(!$ok){
session_regenerate_id(true); // replace the Session ID
session_start(); // restart the session (since previous start failed)
}
Remember, you can't replace or write a file onto the server via PHP session cookie. It is only when a session is successfully started, PHP writes a Session file about the current session and stores it to the tmp folder. Once the file becomes old, the file is deleted.
This is most likely caused by spambots. I see a lot of spambots being sent a session ID as a GET parameter, which they then try to use for SMTP injection or to send email. I'll try to find proof somewhere from my logs but I know it's happened to me on at least a dozen sites. When I saw it, the GET vars looked like: [email protected]\n\subject:blah blah blah\n\nspam email here etc...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With