Image Image Image Image Image
Scroll to Top

To Top

Information Resources

Browser Extensions and PHP Session IDs

February 2, 2022 - Information Resources
Browser Extensions and PHP Session IDs

The Issue

One way applications protect against abuse (such as replay attacks) is by assigning a nonce (number used once) to a client connection. This randomly generated number is made available to the client for as long as the connection remains active and is commonly stored server-side to the session, and identified by that connection’s PHPSESSID. This PHPSESSID is associated with the client in a cookie, and shared with each future connection.

Now, when a user sends information back to the server, such as form data, the nonce is included among the properties. The server compares the incoming nonce with the server nonce, using the PHPSESSID as an identifier, and—provided there’s a match—the form data is accepted.

Recent changes have been introduced to restrict access to cookie contents.
More information about these changes can be found here.

With this change, however, your PHPSESSID may no longer be shared between a typical browser connection to a server, and a connection made through your browser extension. We experienced this first with Chrome 97, but can’t be certain this version is where the change was introduced.

The Solution

Change:

session_start();

 
To:

session_set_cookie_params(["SameSite" => "None"]); //None, Lax, Strict 
session_set_cookie_params(["Secure" => "true"]); //false, true 
session_set_cookie_params(["HttpOnly" => "true"]); //false, true session_start();

 
As soon as the additional parameters shown above were applied (before the session was started, and the PHPSESSID cookie shared to the client), the browser extension was given the same session access as a typical connection, and our browser extension began to function securely, and as expected.

More Information

If you’re interested in seeing a practical example of this solution, install the BULC CLUB browser extension for Google Chrome and/or the browser add-on for Mozilla Firefox. The widget allows users to quickly access their BULC CLUB Member Console, create a single-use “burner” email address, and right-click on any email address or domain in the current window to check the BULC CLUB Member Rating.

Tags | , , , , , , , , , , , , , ,