FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » sessions causing refreshing not to work
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: sessions causing refreshing not to work [message #178340 is a reply to message #178330] Wed, 06 June 2012 12:34 Go to previous messageGo to previous message
Richard Damon is currently offline  Richard Damon
Messages: 58
Registered: August 2011
Karma:
Member
On 6/5/12 8:14 AM, Peter H. Coffin wrote:
> On Tue, 05 Jun 2012 06:46:28 +0200, Thomas 'PointedEars' Lahn wrote:
>>> Set session.use_trans_sid, unset session.use_cookie, don't forget to
>>> grab the session ID out of the $_GET array for every page load. Yes,
>>> your URLs will be ugly, and it'll be not impossible for someone to end
>>> up screwing things somehow with URL bookmarking or sharing.
>>
>> More importantly, it will be a security hole to be exploited:
>>
>> < https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manage_Sessi on_ID_as_Any_Other_User_Input>
>
> Sorry, I refuse to think of what *should be* expected behavior as a
> "security hole". People can manipulate cookie values almost as easily
> and they're no more trustworthy than a $_GET result. This doesn't even
> bear discussing separately, and doing so only ends up further
> complicating an issue that enough people have trouble learning into
> their bones in the first place.
>

The security hole is treating the SessionI D as totally safe to using in
any manner, doing things like building SQL queries by just appending the
value (without going through escaping, since real session id's don't
need to be escaped).
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: passing documents through pages
Next Topic: PHP Sessions and XML
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 09 12:57:39 GMT 2024

Total time taken to generate the page: 0.04941 seconds