John Davidson

session - Randomized $_SESSION token is changed before validation when PHP file is specified in built-in server

0 comments
Message:


I am generating a unique token and saving it in a session variable on every request (in a typical CSRF protection fashion). Token is refreshed after checking it for validation with the POSTED token value.


Here is my code (index.php):


<?php

session_start();

if (!empty($_POST['token'])) {
var_dump($_POST['token'], $_SESSION['token']);
exit;
}

$_SESSION['token'] = rand();

echo '<form action="index.php" method="post"><input name="token" value="' . $_SESSION['token'] . '"></form>';

When I use php -S localhost:8888 to run the script, it works fine. But when I specify the index.php file like php -S localhost:8888 index.php the $_SESSION['token'] is changed. ($_POST['token'] and $_SESSION['token'] does not match).


php -S localhost:8888


before
after


php -S localhost:8888 index.php


before
after


I have also tried using a routing file. It does not work either. php -S localhost:8888 server.php


<?php
// server.php

$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$uri = urldecode($uri);

if ($uri !== '/' and file_exists($uri))
{
return false;
}

require_once 'index.php';

Console output:


php -S localhost:8888


php -S localhost:8878 
[Mon Mar 29 11:49:49 2021] PHP 8.0.3 Development Server (http://localhost:8878) started
[Mon Mar 29 11:49:52 2021] [::1]:47410 Accepted
[Mon Mar 29 11:49:52 2021] [::1]:47412 Accepted
[Mon Mar 29 11:49:52 2021] [::1]:47410 [200]: GET /
[Mon Mar 29 11:49:52 2021] [::1]:47410 Closing
[Mon Mar 29 11:49:53 2021] [::1]:47412 [404]: GET /favicon.ico - No such file or directory
[Mon Mar 29 11:49:53 2021] [::1]:47412 Closing

php -S localhost:8888 server.php


php -S localhost:8858 server.php
[Mon Mar 29 11:48:51 2021] PHP 8.0.3 Development Server (http://localhost:8858) started
[Mon Mar 29 11:48:53 2021] [::1]:33156 Accepted
[Mon Mar 29 11:48:53 2021] [::1]:33158 Accepted
[Mon Mar 29 11:48:53 2021] [::1]:33156 Closing
[Mon Mar 29 11:48:54 2021] [::1]:33158 Closing

Tested using:


PHP 7.3.27-1~deb10u1 (cli) (built: Feb 13 2021 16:31:40) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.27, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.27-1~deb10u1, Copyright (c) 1999-2018, by Zend Technologies

and


PHP 8.0.3 (cli) (built: Mar  5 2021 08:38:30) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.3, Copyright (c) Zend Technologies
with Zend OPcache v8.0.3, Copyright (c), by Zend Technologies

Is this a bug in PHP built-in server?



My Answer:
It seems like the issue you are experiencing might be related to how the PHP built-in server handles sessions when specifying the PHP file directly.

One possible workaround could be to explicitly set the session id using session_id() before starting the session. This way, the session id will remain consistent even when specifying the PHP file directly.

Here is an example of how you can modify your code to set the session id:

php

session_id('my_unique_session_id');
session_start();

if (!empty($_POST['token'])) {
var_dump($_POST['token'], $_SESSION['token']);
exit;
}

$_SESSION['token'] = rand();

echo '
';


By setting a specific session id, you can ensure that the session remains consistent even when specifying the PHP file directly in the PHP built-in server.

I hope this helps resolve the issue you are facing with the session token being changed before validation. Let me know if you have any other questions or concerns.

Rate this post

4 of 5 based on 6532 votes

Comments




© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us