| Re: sessions causing refreshing not to work [message #178330 is a reply to message #178328] |
Tue, 05 June 2012 12:14   |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma:
|
Senior Member |
|
|
On Tue, 05 Jun 2012 06:46:28 +0200, Thomas 'PointedEars' Lahn wrote:
>> Set session.use_trans_sid, unset session.use_cookie, don't forget to
>> grab the session ID out of the $_GET array for every page load. Yes,
>> your URLs will be ugly, and it'll be not impossible for someone to end
>> up screwing things somehow with URL bookmarking or sharing.
>
> More importantly, it will be a security hole to be exploited:
>
> < https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manage_Sessi on_ID_as_Any_Other_User_Input>
Sorry, I refuse to think of what *should be* expected behavior as a
"security hole". People can manipulate cookie values almost as easily
and they're no more trustworthy than a $_GET result. This doesn't even
bear discussing separately, and doing so only ends up further
complicating an issue that enough people have trouble learning into
their bones in the first place.
--
Judging by this particular thread, many people in this group spent their
school years taking illogical, pointless orders from morons and having
their will to live systematically crushed. And people say school doesn't
prepare kids for the real world. -- Rayner, in the Monastery
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]