WebApp Sec mailing list archives
PHP Session ID's
From: focus () karsites net
Date: Tue, 19 Jul 2005 08:29:20 +0100 (BST)
You can pass the PHP session ID as a <input type="hidden"
name="xyz"> html form variable if using a form. You can
even create a blank form just for this purpose.
EG.
function simple_SEARCH_button($text)
{
global $session_id;
?>
<FORM ACTION="./search.hml" METHOD="POST">
<P ALIGN=CENTER>
<INPUT TYPE="SUBMIT" VALUE="<?php echo $text; ?>"> </P>
<!-- pass the following hidden variables with the form -->
<INPUT TYPE="HIDDEN" NAME="session_id"
VALUE="<?php echo $session_id; ?>">
</FORM>
<?php
} // end of simple_SEARCH_button($text)
!! In short, you are better off putting the session id in a cookie than !! putting it in the URL. You are right that referrer headers are one !! way that a URL session id can leak. It may also be logged in proxies !! or firewalls.
my 2c Keith Roberts http://www.karsites.net
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)