 |
 |
 |
 |
|
|
Date: 03/30/00
- Next message: Gary Bickford: "[PHPLIB] Authentication has gone south. What happened?"
- Previous message: Vladimir Novakovic: "[PHPLIB] Question about basic PHPlib logic."
- Next in thread: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- Reply: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- Reply: Kristian Koehntopp: "Re: [PHPLIB] Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have a client who is querying the security of sessions. If the
session id is passed around (GET) then it would be possible to grab it
in the same way that clear text passwords can be grabbed as they float
around. If someone was to get the session ID in this way then they
could keep the session alive after the real user has finished.
I presume that if the real user specifically logs out then the session
ID becomes invalid. But if they don't log out then the that could be a
problem.
Is there any validity to any of this and if so how could it be stopped?
One way I thought of would be to record the IP address of the real user
in the session some how. Anyone else using the session ID from a
different IP address would be denied access. Does PHPLIB already do
that?
-- Kind regardsStephen Neander Director - Internet Development
- PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>. To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in the body, not the subject, of your message.
- Next message: Gary Bickford: "[PHPLIB] Authentication has gone south. What happened?"
- Previous message: Vladimir Novakovic: "[PHPLIB] Question about basic PHPlib logic."
- Next in thread: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- Reply: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- Reply: Kristian Koehntopp: "Re: [PHPLIB] Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]