Session hijacking or attack?

Question

Lately I have seen this in my error log (1 per day, and I have 40k visitors per day):

[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-s         


        

Answer 1

What is probably done here is that this client has changed the PHPSESSID cookie's content. Normally the SessionID is something like "62bf75fb02922cf9c83fb3521255b4ab" (hexadecimal)

However, the user might have modified the cookie using some tools. This causes no harm to your website and server because this modification is done client side and by doing so it does not affect the server (except generating those errors). What you can do is that when you receive such error, you change the session ID and replace the one that is on the client.

See solution:

$ok = @session_start();
if(!$ok){
  session_regenerate_id(true); // replace the Session ID
  session_start(); // restart the session (since previous start failed)
}

Remember, you can't replace or write a file onto the server via PHP session cookie. It is only when a session is successfully started, PHP writes a Session file about the current session and stores it to the tmp folder. Once the file becomes old, the file is deleted.

Answer 2

This is most likely caused by spambots. I see a lot of spambots being sent a session ID as a GET parameter, which they then try to use for SMTP injection or to send email. I'll try to find proof somewhere from my logs but I know it's happened to me on at least a dozen sites. When I saw it, the GET vars looked like: ?sid=v14gra@spam.com\n\subject:blah blah blah\n\nspam email here etc...

Answer 3

By best guess is someone has a bad session id in their session cookie and is causing the error.

I can't see how anyone would use an invalid session id for session hijacking.

If you want to reproduce the error:

<?php
error_reporting(E_ALL);
session_start();
session_id ("$");