22

I noticed today that in my session files for a site, there are a few files with file names that are significantly smaller than the rest, example:

Standard Session File:

  sess_0020cc255681808f78c08b67cd88cbcea13f45ee7629754ed82ccb8b010cf83d2b353b7136847f2876d99f3297a5def5bcc62b433d6d56d7f1b301f82c833aad

(5 + 128 character file length)

Exceptional Session File:

  sess_629aca24e094f17d02b3d105ebe9e5d4

(5 + 32 character file length)

This site is very busy and has a Lot of traffic (~22k visitors pcm), viewing the session folder there are ~1% (actually 0.92%) of these very short named session files.

I have in the past read up a lot on sessions before implementing this site redesign last year (2015) and from that, currently have in my php.ini:

session.cookie_httponly=1
session.use_only_cookies=1
session.cookie_secure=1
session.entropy_file=/dev/urandom
session.hash_function=whirlpool
session.session.use_trans_sid=0
session.entropy_length=32

EDIT (additionals):

session.hash_bits_per_character = 4

session.sid_length is undefined (undefinable) as this build is using PHP 5.6.2

Which, as far as I know, should be generally fine. I have read very few other topics about how to ensure minimum file length, although I have read various thing about using session.entropy_length but this doesn't seem to obviously apply to this issue.

The entropy_length value is the only one I'm not certain of its use and need.

My Questions

  • What causes 1% of sessions to be only 5 + 32 characters long?
  • How do I set it so that all sessions are the same length (5 + 128 chrs)

I realise the below question I can try it and see as it causes no harm, but if the above solution is the intended use for session.entropy_length , that would be useful to know. There seems little literature around about what entropy_length is actually -practically- for.

I think there can currently be a small potential issue with session name collision, and it looks frankly wrong how so many session files are so wonderfully long but a notable minority are relatively tiny.

Updates

From comments there are some details that it may be worth me summarising here:

  • The issue is not with my browser(!!)
  • This is using PHP Version 5.6.2
  • LAMP stack on a [single] WHM server.
  • If PHP-cli is run it could/would only be run by the server hosts, although I really doubt they're running it. I know them well and am a decent client so....
  • I have checked and confirmed that the website htaccess files are not making any changes to any aspect of PHP
  • The server runs with very few error logs (I have 14 errors from the last week, from 9k visits, errors all 404s from robot scrapers trying to hack into Wordpress [the site is not wordpress].)
  • PHP is run through suPHP (version unknown at present), I'm also looking at updating suphp but I doubt this would directly relate to this issue.
  • From Ryan Vincents suggestion I will setup a notification when a shorter than 128chr session is made (and hopefully from which address)
  • The session file storage folder is defined in PHP.ini and so if an outside PHP.ini is used then I'd expect sessions to appear in other folders such as /temp.
Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • No, entropy length has nothing to do with this. The part behind `sess_` in the file name is simply the session id, and `session.sid_length` is the setting that influences the length. // Sounds like either your session configuration might differ in parts of your application (set dynamically via ini_set or similar perhaps), or that you have another, independent second application running, that uses the same session temp dir. – CBroe Sep 26 '16 at 13:47
  • @CBroe that was my initial thought on it, that there was some place that was running on different settings but I can't find it, everything uses the same settings, but I'm digging deeper. My concern was that if there where certain situations/settings that caused `Whirlpool` to "short out" or some sort of similar effect for example if the session is started right on the dot of midnight (I've read some session PRNG uses microtime, although I don't think whirlpool does). – Martin Sep 26 '16 at 13:57
  • Is the app deployed on one or several servers? How is PHP run? Did you check for htaccess directives? Did you try to make a correlation between the time of creation of the session file and other events on the server, such as visitors, available entropy, access_log entries, error_log entries? – Aif Oct 06 '16 at 11:42
  • My money is on a different php application on the same server with different settings, and 1% of the number of hits. – Chris Lear Oct 06 '16 at 11:43
  • 2
    Possible use of php-cli, with a different php.ini – Luca Rainone Oct 06 '16 at 11:44
  • @chumkiu I have already had a look (re: comments above) and there is no different php.ini on the server. And the only usage of PHP cli on the server would be by the server hosts and I really doubt that. – Martin Oct 06 '16 at 11:54
  • @Aif PHP is run through suphp , it is hosted on a single server. I'm not sure I know what you mean re: htaccess, but I do keep a close eye on `htaccess` files. I have not yet tried timing correlations you mention but the error log entries are so few (compared to visitor count) I don't think it would be helpful (for instance, in the last 7 days there have been 2 sets of server error logs both 404s from robots crawling wordpress logins... (it's not a WP site) – Martin Oct 06 '16 at 11:58
  • @Martin my point with htaccess is: according to the documentation, `session.hash_function` can be changed by a htaccess directive: http://php.net/manual/en/session.configuration.php#ini.session.hash-function. That's why I suggested to have a look there. – Aif Oct 06 '16 at 12:03
  • @Aif ahhh, no, all `.htaccess` files deal with apache issues only, nothing PHP at all. – Martin Oct 06 '16 at 12:16
  • Yes, because suphp :) – Aif Oct 06 '16 at 12:17
  • just thoughts. I would intercept the session id after generation and check the length of it. Log all occasions where it is smaller than expected. Now, If there are none then those session files are being generated from somewhere else? If there are some then need to look at the session id generator? – Ryan Vincent Oct 06 '16 at 12:55
  • @RyanVincent that's a good idea, I'll dig into it. I'm increasingly thinking the cause is something very specific to my particular setup (i.e the fix will not be obvious to stack overflow poeple) but I can't seem to pin point what it is. – Martin Oct 06 '16 at 12:59
  • @Aif annoying on WHM (that's what I use :-| ) I can't find the version of suphp that's installed, but I'm going to see if I can get it updated (good practise but I doubt it effects this issue). – Martin Oct 06 '16 at 13:00
  • @RyanVincent my session generation is just using the standard methods, in PHP 5.6.2 so I would have thought that this issue would be sidestepped, although this comment is worth noting for my session id length comparison check :-) – Martin Oct 06 '16 at 13:12
  • Have you looked inside the session files to determine if the 32 chr files contain the same type of information as the 128 chr ones? Is it possible that the "purpose" of the sessions is different (ie. admin area vs. visitor)? – BA_Webimax Oct 06 '16 at 13:13
  • @BA_Webimax good call, but I did look and they don't contain anything I wouldn't expect (most were empty). – Martin Oct 06 '16 at 13:16
  • Do the dates/times of the short session files tell you anything? For instance, they might all just be very old. Do old sessions get purged? – Chris Lear Oct 06 '16 at 13:29
  • 1
    I've tried generating >10000 session ids, using the settings given here. (I was using `session_regenerate_id` in a loop). I only ever got 128-char hashes. You can create your situation by using this php code: `session_id(md5("something"));` – Chris Lear Oct 06 '16 at 13:50

2 Answers2

5

This will most likely be hackers/hack attempts if you have a site as popular as you describe. Hackers will be hitting the site quite regularly and using captured or (in this case) spoofed session IDs, and they will spoof in the normal 32-byte hex.

If you modify the cookie "PHPSESSID" to contain any text at all, PHP picks it up and creates a session with that ID, and a corresponding sess_[sessionId] file. From my testing (and you can try it yourself) PHP will use any length of ID and accept it and use it, regardless of the ini settings.

The good news is that if you do a session_id() then it will return the spoofed ID so you can then

  • deny
  • honey-pot, or
  • recreate with a valid session

BUT this won't stop the session file being created.

Alternatively create your own session handling system and avoid session_start(); then you can manually validate the session_id format before using.

Robbie
  • 17,605
  • 4
  • 35
  • 72
  • This sounds very plausible to me, so woth an upvote even if it turns out to be wrong – Chris Lear Oct 07 '16 at 07:32
  • Thanks for the feedback, I was concerned that -from comments- it seemed the cause increasingly looks like an outside-the-box (ie, hackingz) issue. I'm positive with the discovery I mentioned in comments above that the 'short-name' sessions are all empty (or containing minimal, very bland data such as a page visit count or referring page names) – Martin Oct 07 '16 at 15:05
  • Looking into it today, there are also *NO* short session names, which makes me think that it could well have been a hack attempt type of thing and the bot / person has moved on to other sites, *possibly....* – Martin Oct 07 '16 at 15:06
  • This was a helpful answer, and I am now fairly sure these short sessions were spoofed sessions rather than those being generated by my own PHP scripts. – Martin Oct 12 '16 at 10:39
  • It would certainly be my first thought - checking the access logs of popular sites (or sites for popular companies) does reveal an awful lot of unwanted activity. I preg_match ALL session IDs - just code against it and reject anything you don't think is right. – Robbie Oct 12 '16 at 22:31
  • I've set you the bounty, this isn't a certain answer but does seem to be the highest contender by a decent margin. I will definitely look into `preg_` checking session ids, annoyingly from a issue resolution point of view the site seems to now have 0 short id names (although I've not checked yet this morning). Thanks for the answer – Martin Oct 13 '16 at 07:34
  • That's because they read the stackoverflow question and realised they need to spoof 128 character sessions . – Robbie Oct 13 '16 at 22:26
1

In php.ini file, you can check hash algo

; Select a hash function for use in generating session ids.
; Possible Values
;   0  (MD5 128 bits)
;   1  (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_algos()
; function.
; http://php.net/session.hash-function
session.hash_function = 0

Now check in http://php.net/manual/en/function.hash-algos.php, it provides index of use different kind of algorithms

For make 5 + 128 character long you can use sha512 or whirlpool algorith for generate Session Id. Check length of hash method http://php.net/manual/en/function.hash.php

So session file name should be sess_ + session_id

So in your php.ini you can set

session.hash_function = whirlpool
session.hash_function = sha512

or in PHP you can set dynamically before start_session() function

ini_set('session.hash_function', 'whirlpool');
ini_set('session.hash_function', 'sha512');

I have tested with ini_set() function, it works fine for me and generate session file 5+128 character.

My PHP file code

<?php
ini_set('session.hash_function', 'whirlpool');
session_start();
echo "Session ID: " . session_id();

Output:

Session ID: 0216691c286f2023c6bad823952bcfbdd1cb51980e1981afa28418e887209dcfae3443dc3b59ecaf6201c5d1ea18cd4eb8810de69668a5a366e3c98396ca3786

Screenshot of generated file enter image description here

Haresh Vidja
  • 8,340
  • 3
  • 25
  • 42
  • Thanks for the answer, my PHP.ini is already setup with whirlpool and this works -as far as I can tell-, the issue is that *some* session id filenames are 32-characters while 99% are 128-characters, but all are/should be using the `whirlpool` hash function. – Martin Oct 06 '16 at 12:32
  • 1
    "This option may also be set to the name of any hash function" OP has already `session.hash_function=whirlpool`. – Daniel W. Oct 06 '16 at 12:33
  • @Martin, can you please clear cookies of your browser, because currently session may be already generated so php not generate session id again with new configuration.... or check with private browsing – Haresh Vidja Oct 06 '16 at 12:39
  • @HareshVidja you seem to maybe misunderstand, the issue is *not* with my browser, the issue is the **server** is setting unusually short [default length] session filenames. I'd like to find out what can cause this. – Martin Oct 06 '16 at 12:43
  • @Martin, you can see my attached screenshot of server side file name. length of file name is also 5+ 128 character. – Haresh Vidja Oct 06 '16 at 12:45
  • in screenshot, first filename is 5+32 character before change hash function. after change hash function it became 5+128 with new session id. – Haresh Vidja Oct 06 '16 at 12:46
  • I saw your screenshot but your answer seems to be retreading the same details as I've put in my question. I'm aware of the before/after effect of the hash changes but the question is that my hash has universally **not** changed so I'm asking if anything else can cause the session filename length anomaly. – Martin Oct 06 '16 at 12:48
  • @Martin, I can understand you, I have not changed any other configuration.. can I know which OS you are using and which PHP verison? – Haresh Vidja Oct 06 '16 at 12:50
  • I've updated my question, take a look at the bottom. – Martin Oct 06 '16 at 13:12