Re: sessions causing refreshing not to work [message #178340 is a reply to message #178330] |
Wed, 06 June 2012 12:34 |
Richard Damon
Messages: 58 Registered: August 2011
Karma:
|
Member |
|
|
On 6/5/12 8:14 AM, Peter H. Coffin wrote:
> On Tue, 05 Jun 2012 06:46:28 +0200, Thomas 'PointedEars' Lahn wrote:
>>> Set session.use_trans_sid, unset session.use_cookie, don't forget to
>>> grab the session ID out of the $_GET array for every page load. Yes,
>>> your URLs will be ugly, and it'll be not impossible for someone to end
>>> up screwing things somehow with URL bookmarking or sharing.
>>
>> More importantly, it will be a security hole to be exploited:
>>
>> < https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manage_Sessi on_ID_as_Any_Other_User_Input>
>
> Sorry, I refuse to think of what *should be* expected behavior as a
> "security hole". People can manipulate cookie values almost as easily
> and they're no more trustworthy than a $_GET result. This doesn't even
> bear discussing separately, and doing so only ends up further
> complicating an issue that enough people have trouble learning into
> their bones in the first place.
>
The security hole is treating the SessionI D as totally safe to using in
any manner, doing things like building SQL queries by just appending the
value (without going through escaping, since real session id's don't
need to be escaped).
|
|
|