Warn about multiple PHPSESSID being sent by the browser #9412
+34
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
That improves UX in opnsense#9411 cases: warning is better than silence.
darkk
commented
Nov 17, 2025
| // Two+ session_id() cookies confuse _SESSION management. They should go before we continue. | ||
| // It's hard to reset them from the server-side as we don't know the right scope with confidence. | ||
| if (($c = session_id_cookies_count()) >= 2) { | ||
| auth_log(sprintf("%d %s cookies from %s, no way to proceeed", $c, session_name(), $_SERVER['REMOTE_ADDR']), LOG_NOTICE); |
Contributor
Author
There was a problem hiding this comment.
One one hand, it opens a way to flood logs of the OPNsense box with curl. So, maybe, these log lines should be added to /usr/local/opnsense/scripts/syslog/lockout_handler.
On another hand, lockout_handler does nothing about log lines like sshd-session 79000 - [meta sequenceId="135327"] Connection closed by 10.91.66.130 port 34902, so it seems to be focused on nothing but authentication attempts. There is already a way to flood audit log with TCP connection attempts to OpenSSH daemon anyway. 🙂
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
That improves UX in #9411 cases: warning is better than silence.