FUDforum: comp.lang.php » session cookie: client side

Home » Imported messages » comp.lang.php » session cookie: client side

Show: Today's Messages :: Polls :: Message Navigator

Re: session cookie: client side [message #175897 is a reply to message #175892]

Fri, 04 November 2011 11:55

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 11/4/2011 2:14 AM, sl@exabyte wrote:
>> I don't know I understood your question totally but...
>>
>> If the user can read the session cookie then any others can read the
>> session cookie. The browser can't recognize who sits in front of the
>> monitor.
>>
>> Another way: If user can read session cookie + it's not an SSL
>> channel -> any others can sniff it (local machine or another machine
>> on the route/wifi)
>>
>> Mechanism: on server side the system generates a Session ID (SID).
>> The SID identifies the session datas ($_SESSION in PHP). The Server
>> store session data in a file or database. on client side the client
>> knows only the SID but the client doesn't know session data, only ID.
>> Client sends its SID, the server find data.
>>
>> So... for example: If you test IP of the client and SID your can
>> secure the session from outside of the box but you can't do it with
>> inside of the box.
>>
>> Use SSL + check IP + never-never-ever store important information in
>> cookies.
>
> I am a bit confused now.
>
> For example, using the Opera browser, a user can check a cookie value. I
> understand that this value is used to identify a user, ie I can read it. But
> other people, on LAN or internet, cannot read it because when I send data,
> the data is enrcypted via https.
>
> I suppose the cookie value is the Session ID.
>

The cookie does not identify the user - it is just the session id. What
the server does with it is something else.

In general, the session id does identify the computer from which the
cookie is being sent because the session id is a rather long
pseudo-random alphanumeric value. Yes it's possible for someone else to
intercept and read the session id, but in general it's unlikely.

The real question is - what is the problem you are trying to resolve?
If the data are that sensitive, you should be using a secure protocol
for everything. If the data aren't sensitive enough to require a secure
protocol, why do you think the cookie is?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		session cookie: client side By: sl@exabyte on Thu, 03 November 2011 09:10
		Re: session cookie: client side By: Balazs Nadasdi on Thu, 03 November 2011 12:23
		Re: session cookie: client side By: sl@exabyte on Fri, 04 November 2011 06:14
		Re: session cookie: client side By: Jerry Stuckle on Fri, 04 November 2011 11:55
		Re: session cookie: client side By: sl@exabyte on Fri, 04 November 2011 14:21
		Re: session cookie: client side By: Jerry Stuckle on Fri, 04 November 2011 18:40
		Re: session cookie: client side By: Denis McMahon on Fri, 04 November 2011 15:53
		Re: session cookie: client side By: Jerry Stuckle on Fri, 04 November 2011 18:41
		Re: session cookie: client side By: Denis McMahon on Fri, 04 November 2011 15:52

Previous Topic:	sqlite and php
Next Topic:	simple session question

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Oct 05 13:23:00 GMT 2024

Total time taken to generate the page: 0.05811 seconds