From 3e5a0ec03c96a5fd37b94f93f3100b476b112b04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0pa=C4=8Dek?= Date: Thu, 16 May 2024 01:54:58 +0200 Subject: [PATCH] Move the info about how the session id is determined a bit up --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 21334e6..23dadb1 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ echo $phpInfo->getFullPageHtml(); ``` ## Sanitization -By default, session id (as returned by `session_id()` if session is started, or as stored in `$_COOKIE[session_name()]` if not) will be sanitized and replaced by `[***]` in the output. +By default, session id will be automatically determined and replaced by `[***]` in the output. This is to prevent some session hijacking attacks that would read the session id from the cookie value reflected in the `phpinfo()` output (see my [blog post](https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it) describing the attack, `HttpOnly` bypasses, and the solution). You can disable the sanitization by calling `doNotSanitizeSessionId()` but it's totally not recommended. Do not disable that. Please. @@ -45,30 +45,30 @@ If found, the string in `$sanitize` will be replaced with the string `$with`, if Some of the values in `phpinfo()` output are printed URL-encoded, so the `$sanitize` value will also be searched URL-encoded automatically. This means that both `foo,bar` and `foo%2Cbar` would be replaced. -## Sanitizing arbitrary strings -If you have your `phpinfo()` output (or anything really) in a string, you can use the sanitizer standalone, for example: -```php -$sanitizer = new \Spaze\PhpInfo\SensitiveValueSanitizer(); -$string = $sanitizer->addSanitization('🍍', '🍌')->sanitize('🍍🍕'); -``` - The sanitizer will try to determine the session id and sanitize it automatically, you can (but shouldn't) disable it with `doNotSanitizeSessionId()`. -The following values will be automatically used as the session id: +The following values will be used when determining the session id: 1. `session_id()` output if not `false` 2. `$_COOKIE[session_name()]` if it's a string However, it is not recommended to rely solely on the automated way, because for example you may set the session name somewhere in a custom service, and it may not be available for the sanitizer to use. I'd rather suggest you configure the sanitization manually: ```php -$sanitizer->addSanitization($this->sessionHandler->getId(), '[***]'); // where $this->sessionHandler is your custom service for example +$phpInfo->addSanitization($this->sessionHandler->getId(), '[***]'); // where $this->sessionHandler is your custom service for example ``` or ```php -$sanitizer->addSanitization($_COOKIE['MYSESSID'], '[***]'); // where MYSESSID is your session name +$phpInfo->addSanitization($_COOKIE['MYSESSID'], '[***]'); // where MYSESSID is your session name ``` or something like that. +## Sanitizing arbitrary strings +If you have your `phpinfo()` output (or anything really) in a string, you can use the sanitizer standalone, for example: +```php +$sanitizer = new \Spaze\PhpInfo\SensitiveValueSanitizer(); +$string = $sanitizer->addSanitization('🍍', '🍌')->sanitize('🍍🍕'); +``` + You can then pass the configured sanitizer to `PhpInfo` class which will then use your configuration for sanitizing the `phpinfo()` output too: ```php $phpInfo = new \Spaze\PhpInfo\PhpInfo($sanitizer);