RE: PHP Sessions
- From: "Hagen, Eric" <hagene@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 21 Sep 2006 14:08:14 -0600
PHP's default handling of sessions is to store the sessionID in a
cookie. You, as the PHP programmer, have absolutely nothing to do with
the session ID other than calling session_start()
If PHP is unable to set a cookie (or if you direct it to do this), then
it will use the GET variables on the URI in order to transmit the
session ID.
Regardless, the session ID is stored locally on the computer and then
transmitted to the server when the user connects to the site.
When you said " I store the session ID in a session variable", this is
somewhat nonsensical because in order to use a "session variable", a
session ID is stored on the client machine automatically, as per PHP's
configured behavior. If the user's browser is refusing cookies and you
have PHP configured (as it is per defaults) to fall back on the URI
encoded session IDs, then you, too, are sending session IDs on the URI
without even realizing it!
Eric
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of xbennx@xxxxxxxxxxxxx
Sent: Thursday, September 21, 2006 10:11 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: PHP Sessions
I've posted on this topic before but I still have some unanswered
questions...
I keep hearing a lot about PHP session ID's and that an attacker can
easily recreate a valid session id and log in as another user. Of course
this is dependent on the way the system works and whats used to generate
the session id. This I understand.
What I fail to understand is why people use session ID's and pass them
via the query string at all? On a site that I maintain, I store the
session ID in a session variable and then check that rather than a
session ID passed through the query string. This way the user cannot
modify the session ID and therefore only valid sessions are accepted.
Am I missing something here? Is there a way for a malicious user to edit
session variables?
Any comments will be appreciated
Thanks,
Benn
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Prev by Date: Re: PHP Sessions
- Next by Date: RE: Hackers in the House
- Previous by thread: Re: PHP Sessions
- Next by thread: Re: password administration procedure
- Index(es):
Relevant Pages
|
