[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Odd session cookies

It looks like someone trying to guess existing cookies and retrieve session information for existing sessions. Based on the cookie format, I am guessing the sessions are actually controlled by PHP - you can add some code to log IP address and cookie combinations and see if there is a patterns.

I am pretty sure sess_rfc1867-tests-post is a cookie name from the PHP test suite. The other examples you gave look like what might happen if you set a custom session handler and didn't add a unique value for each session.

If you are worried about actual session hijacking, store the client IP address in the session and don't let other IPs use it and/or consider an application firewall that can detect these things (no specific recommendation).

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Fri, Sep 7, 2018, 1:17 AM John <john.iliffe@xxxxxxxxx> wrote:
Beginning last Sunday (2 September) I have been finding several oddly named
session cookies each day on my server.  The normal Apache session cookies have
names like "sess_d50280ded90f1dbd48fcfd5fc77baa77".  These new ones have names


The content seems strange too, although so far I haven't found anything
important in one of the.  The owner name is often mine, although some have
"php-fpm" as the file owner. 

Here is an example:

cookie name:  sess_rfc1867-tests-post

cookie content: 


Does anyone have any idea what these are and if I have some sort of a compromise
to the server going on?

Thanks in advance.


To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx