FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » session cookie: client side
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: session cookie: client side [message #175897 is a reply to message #175892] Fri, 04 November 2011 11:55 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 11/4/2011 2:14 AM, sl@exabyte wrote:
>> I don't know I understood your question totally but...
>>
>> If the user can read the session cookie then any others can read the
>> session cookie. The browser can't recognize who sits in front of the
>> monitor.
>>
>> Another way: If user can read session cookie + it's not an SSL
>> channel -> any others can sniff it (local machine or another machine
>> on the route/wifi)
>>
>> Mechanism: on server side the system generates a Session ID (SID).
>> The SID identifies the session datas ($_SESSION in PHP). The Server
>> store session data in a file or database. on client side the client
>> knows only the SID but the client doesn't know session data, only ID.
>> Client sends its SID, the server find data.
>>
>> So... for example: If you test IP of the client and SID your can
>> secure the session from outside of the box but you can't do it with
>> inside of the box.
>>
>> Use SSL + check IP + never-never-ever store important information in
>> cookies.
>
> I am a bit confused now.
>
> For example, using the Opera browser, a user can check a cookie value. I
> understand that this value is used to identify a user, ie I can read it. But
> other people, on LAN or internet, cannot read it because when I send data,
> the data is enrcypted via https.
>
> I suppose the cookie value is the Session ID.
>

The cookie does not identify the user - it is just the session id. What
the server does with it is something else.

In general, the session id does identify the computer from which the
cookie is being sent because the session id is a rather long
pseudo-random alphanumeric value. Yes it's possible for someone else to
intercept and read the session id, but in general it's unlikely.

The real question is - what is the problem you are trying to resolve?
If the data are that sensitive, you should be using a secure protocol
for everything. If the data aren't sensitive enough to require a secure
protocol, why do you think the cookie is?




--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: sqlite and php
Next Topic: simple session question
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 22 06:41:21 GMT 2024

Total time taken to generate the page: 0.07399 seconds