There are a LOT of websites nowadays that assume that cookies are stored. In fact there are way too many websites relying on cookies for information that should have never been stored in a cookie anyway. Good examples of these are websites that store language settings in session data without making sure that the session data is relayed to the next page if the cookie hasn't been confirmed.

Luckily PHP and friends have automated ways of adding session IDs to the URL. This is not always a good thing and it allows the programmer to forget about cookies and sessions. The downside of this is that a lot of websites have cookies/sessions for stuff that never needed a session. Just because it's convenient to have the session around instead of creating a new session when it's required.

Internal website problems are easy to spot and fix. What usually gets overlooked are the external components. Captcha, various forms and OpenID use interfaces outside of the normal code paths and are easily overlooked. Captchas are the more common ones, where external code assigns a text string to the session information that the website then reads. If the captcha application doesn't get the session information it will usually happily create a new session, a different from the session the user already has, and stores the data there.

OpenID has a different type of problem, since the login is relayed to a third party the third party has to be informed about the session present on the originating website. This could be done by passing the session ID in the return URL sent to the provider. The provider would handle the login as normal and pass on the URL with the session ID back to the client. The problem is that passing the session ID to a third party is a security risk. If the originating website doesn't apply proper session restrictions the running session could easily be hijacked. This is not the only way how a session could be hijacked so applying such restrictions is a good idea in any case.

Only viable solution here would be to create an one time return URL for the OpenID provider that doesn't include the session ID. This return URL would be valid only after a successful login on the provider. This way the return URL would be valid only a short period of time at once.

Other good reading about OpenID and security: OpenID: Phishing Heaven

Comments on this page are closed.