Multiple Tabs and Windows with session_regenerate_id()

I was asked a week ago to improve the security of the login system used for one of the sites I manage. Prior to being asked the data displayed on the site was not of a sensitive nature - but a recent project I have been working on requires a little more security.

I decided to do two things:

1. I added a Javascript to MD5 hash strings. Within the login form a random string is placed in a hidden field. This is stored in the server side session. Upon pressing the submit button this is concatenated to the password and the entire string it Md5 hashed.
• This first ensures the password is not sent in plain text across the unsecured connections.
• Second, it ensures that an intercepted Md5 string cannot be used again to logon. As it is generated using of the password and the random string fixed to the users session.
  
2. Additionally I decided to use session_regenerate_id() with every single request. This would mean the session ID is only ever good for one request. Upon changing the session ID, the old session was of course deleted.

The first change worked fine and for those who don't have Javascript enabled, the unencrypted password and login string is used. However, a couple of days after sending out the update for the site I started getting complaints from some users that they had to keep logging on.

Upon viewing the logs, it was clear that some users were having to logon several times during their session. I did some investigation and came up with the following cause.

• It was clear from the logs that the cookie being sent contained the old session ID that had not been updated on the users PC after the call to session_regenerate_id().
• As the old session had been deleted it appeared as if the user had attempted to request the service without even starting a session and logging on.
  
• The previous valid request was at exactly the same time or less than 2 seconds before the failed request.

After servicing a request, I have set the application up to dispatch the request to another script (designed only to display the result) via an HTTP redirect using the Location header. I concluded that the redirect was taking place before the web browser had a chance to update the cookie and as such sent the old session ID.

The reason for this? - being unable to replicate the error on my system I concluded that the users PC was not fast enough to update the cookie before redirecting. Therefore I modified the application to ensure that session_regenerate_id() is only used on a request that has not been redirected. I sent the update and hoped this would fix the problem.

Today however, I checked the logs and it was clear that a number of users were still experiencing the same problem despite the modification. I needed to revisit the problem!!

I trawled the logs again and after some time noticed the previous request was within a second of the failed request again. How was this possible? How can one person make two requests in such quick succession? After some thought it came to me - it is just possible that the user has multiple windows/tabs open on their desktop. They are typing in the data (in this case a single order number) and clicking the submit button in each window, one after the other. So, I opened a few windows in Firefox and entered a few order numbers. Then clicked the submit button in each window at a modest speed. Unsurprisingly, this replicated the error and is the most likely cause of the problem the users are experiencing.

I have temporarily disabled the call to session_regenerate_id() while I come up with a solution. It demonstrates once again the varying ways in which your users will use your application and how crucial the logs were (in this scenario) to solving the problem. An example of which is posted below:

Mon, 20 Nov 2006 08:04:38 +0000 123.123.123.123 /ordersearch_display.php
User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Get Variables: Array()
Post Variables: Array()
Cookies: Array( [sid] => 5442a47367571d58101184c1c71df2c4)
 User Authenticated: USERNAME
 Module: ordersearch loaded.
 Module: ordersearch executed for output.
 Regenerating Session ID old=5442a47367571d58101184c1c71df2c4 new=5e507a0b72f3dc47501f60316721e48
--------------------------------------------------------
Mon, 20 Nov 2006 08:04:40 +0000 123.123.123.123 /ordersearch_input.php
User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Get Variables: Array()
Post Variables: Array( [order] => Array ( [ordernr] => 12345 [ord_seq] => ) [submit] => Retrieve Order Data)
Cookies: Array( [sid] => 5442a47367571d58101184c1c71df2c4)
 User Not Authenticated

A Piece of Information I'd like to have!!

I have my own home server which runs on the Linux Operating System. I use it to store the music and documents for the whole family as well as host a web, FTP and SSH server and act as a development platform for my web applications.

While I have put the time and effort into ensuring the server is as secure as possible. I am none too aware that there could and probably are security holes and vulnerabilities exposed by services that could be exploited by an attacker. I would like to know how many times (if any), my server has been compromised and by whom.

If I were to have this information, I would first find the vulnerability or hole the perpetrator used to gain access and secure it to ensure it is not exploited again. Secondly I would seek to learn some of the skills employed by the perpetrator that were used in order to gain access and use this knowledge to hole foresee other possibly holes a vulnerabilities in my setup and configuration.

What would you do?

Questioning the Ethics of Social Networks

A few months back I finally gave in to the thousands of invites I get from friends who have joined these networks. I have both a Friendster and Hi5 account.

What are these networks?
Drawing comparison to the real world social networks are similar to large gatherings of friends past and present. Each individual invites his or her circle of friends and their friends invite their circle of friends and so on. As you can imagine, these networks quickly grow as more people invite more of their friends.

My hi5 network for example has 14 friends; 5 or 6 of whom I speak to on a regular basis. My "extended network" however, consists of 473 people. When I visit my hi5 home page pictures of some of those in my network are displayed. Unsurprisingly it shows members of the opposite gender who are around my age. The idea behind these social networks is great, however it seems that some sites use our social nature to exploit us.

The problem!!
So what is the problem with these social networks? These sites provide# you with an interface which allows you to communicate chat and share pictures with other people, all for free. Free is never without a capital F however. In order to make money, the social network sites may offer premium services, or advertise. The more members they have, the more popular their site becomes and, the more popular their site the more money they can make.

In recent months I have had growing suspicions in relation to these social network sites regarding their use of personal data held on their members. I first became suspicious when a friend had told me that the invite supposedly sent form her had not actually been sent by her. In fact, she had never visited the site before. Not long after, another friend told me she had been infected by a virus which sent email supposedly from her containing a link to a video. The email had been sent to everyone in her hotmail address box which she only ever logs into via a web browser. The actually PC showed no evidence of having been infected by a virus. So I came the conclusion that this is some kind of Internet based worm, which logs onto your hotmail account and sends out emails to everyone in your address book.

I therefore decided to do a little investigation. I clicked the link in my friends email and signed up to ringo.com using a bogus hotmail address. It was after entering a few of my details that I discovered what I believe to be the root of the problem. Ringo asked for my hotmail password. After supplying it, it logged onto my account on my behalf and obtained a list of email addresses from my address giving me option of sending one or more of them an email invite. This rang alarm bells straight away. What does Ringo do with my password? Why ask for your Hotmail login when Hotmail actively discourages giving out your password and provides facilities that enable you to export your address book to a file on your PC?



My next stop was Ringo’s privacy policy. I delved through it to find out exactly what they do with the data you give them. Of striking pertinence was this comment:

Do you send unsolicited emails or direct mail?
Ringo absolutely, positively does not use the emails or postal addresses it collects as a source for unsolicited emails or unsolicited postal mail.

Alas, maybe not. But upon reading further I found this:

Ringo may develop special sites in cooperation with other companies. If you register at these "co-branded" sites, we share your registration information (such as name and email address) with that company.

A contradiction? No. Ringo are simply saying that they may pass the details you give them onto other “co-branded” sites. Unfortunately they do not mention whether these “co-branded” sites must adhere to the guidelines in their privacy policy and more worryingly they do not say exactly what information they will share with them and what these sites do with it.

While Ringo do not condone spamming and would “never” send unsolicited email to you or on your behalf. How does one know what their co-branded sites do with information such as the contacts in your address book and your hotmail password?

Sites like passport.com (the authentication engine behind Hotmail’s login) have very strict guidelines on the handling of personal data. Looking at their privacy policy we see the following:

Except as described in this statement, we will not disclose your personal information outside Microsoft and its controlled subsidiaries and affiliates without your consent. Some Microsoft sites allow you to choose to share your personal information with selected Microsoft partners so that they can contact you about their products, services or offers. Other sites, such as MSN, do not share your contact information with third parties for marketing purposes, but instead may give you a choice as to whether you wish to receive communications from Microsoft on behalf of external business partners about a partner's particular offering (without transferring your personal information to the third party). See the Communication Preferences section below for more information.

Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.

We occasionally hire other companies to provide limited services on our behalf, such as handling the processing and delivery of mailouts, providing customer support, hosting Web sites, processing transactions, or performing statistical analysis of our services. Those companies will be permitted to obtain only the personal information they need to deliver the service. They are required to maintain the confidentiality of the information and are prohibited from using it for any other purpose.

Put that in two short sentences. Microsoft will “ask” you if you wish to share your personal information with their partners. They also say that external companies my be given certain information but in the event that they are they must conform to their guidelines.

It is not my place to say whether or not Ringo are acting immorally here, I leave that for those who are reading this blog to decide. What I will say is that they are treading on very thin ice with regard to their use of their members’ data and are almost certainly in violation of passport.com’s conditions of use in asking for their members’ hotmail password.

In conclusion, it is without a doubt that some of these social network services are misusing the data their members are giving them. They are using this data “hotmail passwords” in particular to login to accounts and send mail shots on behalf of the unsuspecting users. These passwords are obtained through a simple social engineering concept: the implicit trust an individual gives a site due to a personal invitation received from a friend. The irony is, this friend may never have sent the invite in the first place.

My advice to anyone who is reading is: DO NOT give out your hotmail password or any password relating to another site or service away to a third party. This includes e-messenger services too. If you have already given it out then change it immediatly.

Below are a couple of the sites I have been pointed to when receiving invites from friends who did not send them. Sign up to them at your own risk.

www.ringo.com
www.sms.ac

Bad code!!!

There is a disease which has spread among us. Its victims are gullible, miss informed and vulnerable. Once it has struck the consequences can be disastrous. Like any other disease, it is spread by those who are careless and those who have caught it themselves. The net positively stinks of it, seeping from every corner, page after page, just waiting to hitch a ride on another unsuspecting developer. What am I talking about? BAD CODE!!!!!

In my short outing on this earth I have seen the web go from a playground for script kiddies to a huge commercial entity. Anyone who doesn't use it is considered strange. A company that doesn't have a web site does not exist and home without an Internet ready PC is like a relic from the stone age. With this has come a new type of programmer. These are not hobbyists for which it is a way of life, they are individuals; often with other job titles trying to solve a specific problem as quickly as possible. These people often do not have the patience and problem solving ability of those who want to program, so rely heavily on search engines and forums to find the solutions to their problems. The thing is, if you are doing something you do not like, you want to get shot of it as quickly as possible - if it works, paste it in to your app and forget about it.

So, where does the problem come from? Let us approach form a different angle. There is a game called Chinese whispers. The object of the game is to whisper a message across a chain of several people; the irony is, that by the time the message has come to the end of the chain it bares no resemblance to the original. This, in my opinion is exactly where the problem lies.

You post a question on the forum asking how to solve a specific problem. "Mr 100 Posts Per Day" consults his 4GB library of samples, posts his response, hence solving the problem. But does this actually solve the problem? "Mr 100 Posts Per Day" rips his sample library from other posts and samples off the Internet and other forums; he doesn't know or care how the samples work, nor if they are the most secure, efficient and tidy way of solving the problem; but nor does the person asking the question (he has his code remember). OK, this is an extreme example, only a handful of "Mr 100 Posts Per Day" exist.

But, there are a huge number of developers out there who are happy to post code snippets with no explanation, no regard for best practice and who pay no attention to security and there are an even higher number who are willing to accept them for free. The result is that the "new to programming" programmer, who, is interested in programming and does want to learn, is being weaned on a mess of sloppy, insecure, inefficient code. Worse, these "new to programming" people, will with no doubt learn quickly and want to spread their knowledge; they write tutorials, post samples on forums and blog.

The web is now a pandora's box if you are new to programming. Because the majority of code out there is not even fit for the recycle bin, in fact it the hard disks that house this code should be put in a skip an nuked.

So where do the professional and expert programmers fit in? We have a huge responsibility to ensure that none of this code makes it past our eyes without us preaching/shouting the proper way and fixing it. Being a regular forum poster, I often find myself repeating in an endless loop; "do not use echo to output all your HTML", "do not execute queries without checking for errors", "sanitize variables", "indent code", "don't use tables for presentation" ... The list goes on. But I cannot stress more the importance of this, especially with languages such as Perl and PHP which provide a huge amount of flexibility but at the same time leave a lot of room for dreadful coding.

The coding community needs to wake up ... They need to realise that by giving samples which are knocked up in 5 minutes with no explanation is creating a generation of bad coders who get a terrible shock when they need to rewrite part of their application, clean up their company LAN after being attacked through an exploit, or just realise that all they have learnt in the past year is utter tosh.

Let us stand our ground and make the web a place of clean and secure code!!

Very Useful PHP function - find out where output started!!

I have been programming with PHP for nearly three years and still I am discovering incredibly useful functions. One such that I found today was the headers_sent() function. This functoin returns a boolean value, indicating whether or not the HTTP headers have been sent and more importnatly whether output for the body of the request has started.

It is useful to know this in web programming becuase once the HTTP headers have been sent to the user and the body of the reuqest is being sent, no additional headrs can be sent and attempting to do so will fail.

But, this function does more than tell you whether the headers have been sent, it tells you when and where they have been sent. By passing two arguments to the function it will also tell use the file and line number where they were sent and the main body of the request is output.

While debugging big applications which include code from several files, I often find myself hunting for a rogue ehco or print_r statement that I was using to check data and program flow. With the headers_sent function, the offending statement can be found in seconds.

This is what I did. I edited my php.ini file to add a file to the end of all scripts using the auto_append_file directive. In this file I put three lines of code:

    
    if (headers_sent($file, $line)) {
        echo("<p><b>Output started by {$file} on line {$line}</b></p>");
    }

Simple, elegant and extremely useful.

Goto My PC for FREE!!!

I was originally going to post this here, but decided to put it on VBF as a tutorial doesn't really suit a blog.


Enjoy.

http://www.vbforums.com/showthread.php?t=393847 - Services like GotoMyPc, allow you to access your computer securly from any location in the world via a web interface. But, at a price. In this case $17.95 per month. This in my opinion is a little bit costly as I have worked out how to do it for free.

XML is Sexy

Over the past few weeks I have been delving into the applications of XML and I must say that I have been pleasantly surprised, not only by the level of support out there for XML but also by its versatility and simplicity. This is a technology that, for the best part I have ignored until now, I fear that many other developers do the same unless forced to use it.

My latest article at PHP builder is going to be about XSL transformations. XSL (extensible stylesheet language), enables one to describe one type of XML in terms of another. Carrying out a transformation using the stylesheet effectively means that you can convert from RSS->XHTML, WML->XHTML, XHTML->WML, in fact you can convert any kind of XML to any other kind of XML.

Doing this research has also put a few more aspects of web development in perspective. Mainly XML's most popular application (XHTML) and its partners in crime, CSS and JavaScript. I see now the importance of separating these three technologies when designing web pages and ensuring that any CSS and JavaScript is included in separate files via links.

For XML the future looks bright, it does have a lot of potential, some of which is already being milked (look at the Firefox web browser for example). As web technologies continue to merge with desktop applications and personal Internet connections continue to increase in speed, XML will be creeping in the background, enriching an revitalising our online experience.

The woes of OOP!!!!

Well, here I am again. I am still looking after the site at work. I have been asked to add a new facility to the site. The modifications required would result in my opinion in poorly maintainable code, so have decided to rewrite the backend using OOP - this will enable me to update the backend database (this was not a requirement before), easier.

Thinking in the OO way and trying to model things using OO is a lot easier said than done. In the real world modeling an OO system is a lot harder, I have become akin to converting real world problems per se to computer speak procedural steps. With OO, you need not convert and need to try and think of the problem in terms of lots of small entities interacting. This has meant that in some cases where my procedural up bringings have kicked in, the code has become bitty. Not a problem when it is in the right place; finding the right place to implement a piece of functionality however it isn't easy.

Slowly however, I am getting there. I have asked for some extra time to get the new feature up and running and convinced them that in the long term the site will be easier to maintain and update. I am confident that I will get my head around it and will be sure to post an update.

Long Time No Post

It has been a while since I have dropped by here, a lot has been going on.

I have just started writing articles for PHP Builder and provided my writing skills are up for that challenge, I think it would be quite successful. So far most of my communication with other people has been direct through threads at my main forum www.vbforums.com. I have and are in the process of writing some tutorials to post there.

I find article writing a lot harder however as the audience is a lot broader. Not only are people who are new to the subject going to be reading them, but also those who are not so new, those who are browsing for a specific piece of information or answer and those who are experts and looking to critique the work. A good article in my opinions should satisfy all these and this is what I am hoping to achieve in my articles.