Security Basics mailing list archives
PHP Sessions
From: xbennx () hotmail co uk
Date: 21 Sep 2006 16:11:03 -0000
I've posted on this topic before but I still have some unanswered questions... I keep hearing a lot about PHP session ID's and that an attacker can easily recreate a valid session id and log in as another user. Of course this is dependent on the way the system works and whats used to generate the session id. This I understand. What I fail to understand is why people use session ID's and pass them via the query string at all? On a site that I maintain, I store the session ID in a session variable and then check that rather than a session ID passed through the query string. This way the user cannot modify the session ID and therefore only valid sessions are accepted. Am I missing something here? Is there a way for a malicious user to edit session variables? Any comments will be appreciated Thanks, Benn --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- PHP Sessions xbennx (Sep 21)
- Re: PHP Sessions Peter Butler (Sep 22)
- <Possible follow-ups>
- RE: PHP Sessions Hagen, Eric (Sep 22)