setting the session.cookie_path in PHP (redirection loop)

This is a quick note about a bug in some PHP code I was working on the other day. It took me a while to figure it out. I was developing and initially testing in google chrome, which is evidently forgiving of this kind of error. Maybe writing this will help someone (and maybe it'll help me not to make the same mistake again).

This was for an application which requires authentication. The controller sends the browser a redirect (to the login URL) if the user is not authenticated. I had set the cookie path with something like the following:

$baseUrl = 'https://www.example.com/gakkk/';

// several lines later...

ini_set('session.cookie_path', $baseUrl);

This worked OK in chrome, but Firefox and MSIE both got locked up in redirection loops. After scratching my head for a while, I finally figured out that I should be doing this:

ini_set('session.cookie_path', '/gakkk/');

The cookie_path (it has that name for a reason) should exclude the protocol, hostname, and port. Information security auditors like to complain about web applications that don't set the cookie path.

Testing an SSL-enabled service for cipher strength

Vulnerability scans sometimes find that an SSL-enabled service allows clients to connect using ciphers which have key lengths shorter than 128 bits. Most services have configuration directives to disable these connections. Here's how to test a service for key length (without doing a new nessus scan, or whatever).

openssl ciphers -v

This gives a list of ciphers that the openssl client can use, and the output indicates the key length. openssl's s_client command can take an argument which specifies the cipher(s) to use. So after reconfiguring the server, run the following two commands (the first should fail, and the second should succeed):

openssl s_client -ign_eof -connect target:port -cipher RC4-MD5

openssl s_client -ign_eof -connect target:port -cipher DHE-RSA-AES256-SHA

(You should replace target:port with something like www.example.com:443)

Safari Issues

I learned a couple of things about Safari yesterday. When using the @import syntax for CSS, make sure you remember the semi-colon after the URL (outside the quotes):

<style type="text/css" media="screen">@import "styles.css";</style>

Firefox and Internet Explorer are forgiving about a missing semi-colon, but Safari won't load the stylesheet without it.

And by default Safari has only limited support for tabbing through Web pages (something that's probably pretty important to keyboard users). The default setting will allow you to tab from form field to form field, but you can't focus on links by tabbing. You can enable this behavior (which is behavior I've come to expect from using Firefox and Internet Explorer) by going to the Advanced tab of the Preferences menu and clicking the checkbox that says something like "Press Tab to highlight..."