Authentication: URL encoding/rewriting rather than Cookie

Topic:	Authentication: URL encoding/rewriting rather than Cookie
rgasch Professional Posts: 573 Posted: 27.Aug 2003 - 15:56	Hi, I have been passed the requirement for one of my installs that PN not place any cookies on the client machine. Currently, when you log into PN, a POSTNUKESID cookie is passed to your client (which sets your session ID). Can this be turned off and the session ID be appended to the URL? (I've looked around but didn't find anything along those lines). If this doesn't exist, can someone give me a hint as to 1) How difficult this would be to implement (trivial, easy, hard, impossible)? 2) Give me an idea of how/where to start. I'd be perfectly willing to try to implement this, dependent on some feedback from people in the know. Greetings/Thanks --> R
markwest Moderator Posts: 7720 Posted: 27.Aug 2003 - 16:58	Robert, This advice comes with an i've not tried it warning ;). Now i've got that out of the way - there may be a possibility of implementing this without touching PN at all - good eh? (well if it works anyways). Take a look at the session.use_cookies directive in your php.ini file. -Mark
rgasch Professional Posts: 573 Posted: 28.Aug 2003 - 19:16	Hi Mark, thanks for your suggestion, but I'm afraid that doesn't do the trick. I've just tried this and unfortunately the cookie is still being set. Having said this, I grepped around the PN source tree a little and found the following (in pnSessionSetup() (in include/pnSession.php)) Code // Stop adding SID to URLs ini_set('session.use_trans_sid', 0); // User-defined save handler ini_set('session.save_handler', 'user'); // How to store data ini_set('session.serialize_handler', 'php'); // Use cookie to store the session ID ini_set('session.use_cookies', 1); // Name of our cookie ini_set('session.name', 'POSTNUKESID'); I've tried setting session.use_trans_sid=1 and session.use_cookies=0, but the cookie was still being set. Somewhere in this code block, it should be possible to change the behaviour so that no cookie is being set but so far I haven't been able to figure out how. Any more ideas on how to do this? Greetings/Thanks --> R
markwest Moderator Posts: 7720 Posted: 28.Aug 2003 - 19:38	Robert, At a glance it looks like changing the code you suggested should do it but you've tried that. The second setting overrrides the php.ini setting that I refered you to (I should have checked). I did look into turning off the cookies completely for un-registered users browsing the site as some countries are now coming up with daft privacy laws about the setting of cookies etc. I got this to work to some degree in that the site was browsable but I couldn't get the transition from this state to the logged in state with having sessions on to start with. I've no more ideas at the moment i'm afraid. I'll see if I can find a few minutes to take a further look at this. If I can get this working it would be useful as well as perfomance improvement (only having sessions for signed on users regardless of the use of a cookie or a URL). I suggest you also continue to dig and let me know if you come up with anything. -Mark
markwest Moderator Posts: 7720 Posted: 28.Aug 2003 - 20:02	Robert, Coming back to you (probably before you've read my first reply). It looks like this setting in the PN sessions code has no effect Code // Stop adding SID to URLs ini_set('session.use_trans_sid', 0); Looking at the PHP documentation on sessions and ini_set (http://uk2.php.net/en/ini-set) it appears that use_trans_sid can't be set by user scripts. It can however be set by a .htaccess file. So adding the following to a .htacccess file in the PN root Code php_value use_trans_sid 1 then disable cookies via the line in pnSession.php. I've quickly tested this setup (I changed my php.ini rather than a .htaccess fle) and can login and out without a cookie being set. I should point that there there are potential security issues arising from having the session id passed in the URL but I guess your probably aware of this anyway. -Mark
kaffeeringe.de Professional Posts: 900 Posted: 28.Aug 2003 - 21:49	I thought that SIDs are automaticly appended to urls if cookies don't work with the client. -- best regards from Kiel, sailing city Steffen Voss Member of the PostNuke Steering Committee Read The Zikulan's Blog
larsneo Software Foundation Posts: 4482 Posted: 28.Aug 2003 - 21:54	i always used the other way: hide the SID from the URL with .htaccess files. said this i guess it's just a PHP config thing since in some of my PN installations SIDs are appended to the URL (even with the ini_set('session.use_trans_sid', 0); in pnSession.php), in otheres everything works as expected. -- regards from germany ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
markwest Moderator Posts: 7720 Posted: 28.Aug 2003 - 22:46	Andreas, It looks like (from the referenced PHP docs) that the ini_set command in pnSession.php has no effect. According to these docs use_trans_sid can't be set by user scripts. This would seem to be backed up by experience - as you comment that many PN sites have the sid appended anyway. I think we should remove this code if this is the case. -Mark
larsneo Software Foundation Posts: 4482 Posted: 28.Aug 2003 - 23:27	agree - guess this has been changed sometime back in the PHP history... anyway: from my point of view it's not recommended to use the SID as part of the URL - besides security risks with cached session ids there might be problems when trapping search engine spiders on the side (grabbing the same URL with different SIDs over and over again...) -- regards from germany ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
markwest Moderator Posts: 7720 Posted: 28.Aug 2003 - 23:34	Agreed that's why I pointed out the security issues. However Robert had a specific request to achieve this so there it is ;). -Mark

Topic:

Authentication: URL encoding/rewriting rather than Cookie

rgasch
avatar

Professional

Posts: 573

Posted:
27.Aug 2003 - 15:56

Hi,

I have been passed the requirement for one of my installs that PN not place any cookies on the client machine. Currently, when you log into PN, a POSTNUKESID cookie is passed to your client (which sets your session ID).

Can this be turned off and the session ID be appended to the URL? (I've looked around but didn't find anything along those lines).

If this doesn't exist, can someone give me a hint as to
1) How difficult this would be to implement (trivial, easy, hard, impossible)?
2) Give me an idea of how/where to start. I'd be perfectly willing to try to implement this, dependent on some feedback from people in the know.

Greetings/Thanks
--> R

markwest

Moderator

Posts: 7720

Posted:
27.Aug 2003 - 16:58

Robert,

This advice comes with an i've not tried it warning ;). Now i've got that out of the way - there may be a possibility of implementing this without touching PN at all - good eh? (well if it works anyways).

Take a look at the session.use_cookies directive in your php.ini file.

-Mark

rgasch
avatar

Professional

Posts: 573

Posted:
28.Aug 2003 - 19:16

Hi Mark,

thanks for your suggestion, but I'm afraid that doesn't do the trick. I've just tried this and unfortunately the cookie is still being set.

Having said this, I grepped around the PN source tree a little and found the following (in pnSessionSetup() (in include/pnSession.php))

Code

// Stop adding SID to URLs
    ini_set('session.use_trans_sid', 0);

    // User-defined save handler
    ini_set('session.save_handler', 'user');

    // How to store data
    ini_set('session.serialize_handler', 'php');

    // Use cookie to store the session ID
    ini_set('session.use_cookies', 1);

    // Name of our cookie
    ini_set('session.name', 'POSTNUKESID');

I've tried setting session.use_trans_sid=1 and session.use_cookies=0, but the cookie was still being set. Somewhere in this code block, it should be possible to change the behaviour so that no cookie is being set but so far I haven't been able to figure out how.

Any more ideas on how to do this?

Greetings/Thanks
--> R

markwest

Moderator

Posts: 7720

Posted:
28.Aug 2003 - 19:38

Robert,

At a glance it looks like changing the code you suggested should do it but you've tried that. The second setting overrrides the php.ini setting that I refered you to (I should have checked).

I did look into turning off the cookies completely for un-registered users browsing the site as some countries are now coming up with daft privacy laws about the setting of cookies etc. I got this to work to some degree in that the site was browsable but I couldn't get the transition from this state to the logged in state with having sessions on to start with.

I've no more ideas at the moment i'm afraid. I'll see if I can find a few minutes to take a further look at this. If I can get this working it would be useful as well as perfomance improvement (only having sessions for signed on users regardless of the use of a cookie or a URL).

I suggest you also continue to dig and let me know if you come up with anything.

-Mark

markwest

Moderator

Posts: 7720

Posted:
28.Aug 2003 - 20:02

Robert,

Coming back to you (probably before you've read my first reply). It looks like this setting in the PN sessions code has no effect

Code

// Stop adding SID to URLs
    ini_set('session.use_trans_sid', 0);

Looking at the PHP documentation on sessions and ini_set (http://uk2.php.net/en/ini-set) it appears that use_trans_sid can't be set by user scripts. It can however be set by a .htaccess file.

So adding the following to a .htacccess file in the PN root

Code

php_value use_trans_sid 1

then disable cookies via the line in pnSession.php. I've quickly tested this setup (I changed my php.ini rather than a .htaccess fle) and can login and out without a cookie being set.

I should point that there there are potential security issues arising from having the session id passed in the URL but I guess your probably aware of this anyway.

-Mark

kaffeeringe.de

Professional

Posts: 900

Posted:
28.Aug 2003 - 21:49

I thought that SIDs are automaticly appended to urls if cookies don't work with the client.

--
best regards from Kiel, sailing city

Steffen Voss

Member of the PostNuke Steering Committee
Read The Zikulan's Blog

larsneo

Software Foundation

Posts: 4482

Posted:
28.Aug 2003 - 21:54

i always used the other way: hide the SID from the URL with .htaccess files.
said this i guess it's just a PHP config thing since in some of my PN installations SIDs are appended to the URL (even with the ini_set('session.use_trans_sid', 0); in pnSession.php), in otheres everything works as expected.

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

markwest

Moderator

Posts: 7720

Posted:
28.Aug 2003 - 22:46

Andreas,

It looks like (from the referenced PHP docs) that the ini_set command in pnSession.php has no effect. According to these docs use_trans_sid can't be set by user scripts. This would seem to be backed up by experience - as you comment that many PN sites have the sid appended anyway. I think we should remove this code if this is the case.

-Mark

larsneo

Software Foundation

Posts: 4482

Posted:
28.Aug 2003 - 23:27

agree - guess this has been changed sometime back in the PHP history...
anyway: from my point of view it's not recommended to use the SID as part of the URL - besides security risks with cached session ids there might be problems when trapping search engine spiders on the side (grabbing the same URL with different SIDs over and over again...)

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

markwest

Moderator

Posts: 7720

Posted:
28.Aug 2003 - 23:34

Agreed that's why I pointed out the security issues. However Robert had a specific request to achieve this so there it is ;).

-Mark