Re: sessions causing refreshing not to work [message #178331 is a reply to message #178330] |
Tue, 05 June 2012 18:52 |
Thomas 'PointedEars'
Messages: 701 Registered: October 2010
Karma:
|
Senior Member |
|
|
Peter H. Coffin wrote:
> On Tue, 05 Jun 2012 06:46:28 +0200, Thomas 'PointedEars' Lahn wrote:
>>> Set session.use_trans_sid, unset session.use_cookie, don't forget to
>>> grab the session ID out of the $_GET array for every page load. Yes,
>>> your URLs will be ugly, and it'll be not impossible for someone to end
>>> up screwing things somehow with URL bookmarking or sharing.
>>
>> More importantly, it will be a security hole to be exploited:
>>
>> < https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manage_Sessi on_ID_as_Any_Other_User_Input>
>
> Sorry, I refuse to think of what *should be* expected behavior
It is by no means expected behavior.
> as a "security hole". People can manipulate cookie values almost as easily
Because of that, HTTP-only cookies have been invented.
> and they're no more trustworthy than a $_GET result.
Correct, but by contrast they are not stored unencrypted in the user's
history, cannot be accidentally transmitted, and so on.
> This doesn't even bear discussing separately, and doing so only ends up
> further complicating an issue that enough people have trouble learning
> into their bones in the first place.
You are wrong.
PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm> (404-comp.)
|
|
|