Skip to content

[SECURITY] Session::__construct() allows use of the current time as a session key

inc/Session.php uses this SQL, to try and limit session use to those in possession of the session key:

    $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";

However there is a fatal flaw in the logic. It allows anyone who can guess the microsecond time (and the incrementing session_id) to impersonate the session.

The (md5(session.session_start::text) = ? OR clause should be removed.