FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » sessions causing refreshing not to work
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: sessions causing refreshing not to work [message #178332 is a reply to message #178331] Tue, 05 June 2012 20:05 Go to previous messageGo to previous message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma:
Senior Member
On Tue, 05 Jun 2012 20:52:23 +0200, Thomas 'PointedEars' Lahn wrote:
> Peter H. Coffin wrote:
>
>> On Tue, 05 Jun 2012 06:46:28 +0200, Thomas 'PointedEars' Lahn wrote:
>>>> Set session.use_trans_sid, unset session.use_cookie, don't forget to
>>>> grab the session ID out of the $_GET array for every page load. Yes,
>>>> your URLs will be ugly, and it'll be not impossible for someone to end
>>>> up screwing things somehow with URL bookmarking or sharing.
>>>
>>> More importantly, it will be a security hole to be exploited:
>>>
>>> < https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manage_Sessi on_ID_as_Any_Other_User_Input>
>>
>> Sorry, I refuse to think of what *should be* expected behavior
>
> It is by no means expected behavior.

Sure it is. "DO NOT TRUST THE CLIENT". Clean incoming stuff, provide for
backing out everything that the client does, etc. The same stuff we
always end up talking about as "security holes" are not discrete little
things but part of an overriding principle. Learning only the little
things and not the principle is WHY stuff becomes exploitable.

>> as a "security hole". People can manipulate cookie values almost as easily
>
> Because of that, HTTP-only cookies have been invented.

DO NOT TRUST THE CLIENT. That only *helps* mitigate third-party attacks.
It something between bupkis and squat against someone that's trying to
hijack a session and has access to anything more than a javascript jail.

>> and they're no more trustworthy than a $_GET result.
>
> Correct, but by contrast they are not stored unencrypted in the user's
> history, cannot be accidentally transmitted, and so on.

If the site's properly policing client input, all of those things are
dealt with, from the site's perspective. From the user's perspective,
the same hazards exist with cookies, http-only or otherwise, or are
"secured" by only by preventing exactly the kind of behavior that the
OP is hoping to enable: separating the session from the one-to-one
relationship with the browser/OS-user combination to something else.

>> This doesn't even bear discussing separately, and doing so only ends up
>> further complicating an issue that enough people have trouble learning
>> into their bones in the first place.
>
> You are wrong.

Heh. Succinct, but about as useful as "You are a doody-head".

--
29. I will dress in bright and cheery colors, and so throw my enemies
into confusion.
--Peter Anspach's list of things to do as an Evil Overlord
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: passing documents through pages
Next Topic: PHP Sessions and XML
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 01:45:34 GMT 2024

Total time taken to generate the page: 0.04151 seconds