 |
 |
 |
 |
|
|
Date: 01/28/01
- Next message: Shawn Baker: "[phplib] PHP4 session problems"
- Previous message: Jens Benecke: "[phplib] PHPLIB Tree class question"
- In reply to: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
- Next in thread: abdel: "[phplib] who to get all table"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 28 Jan 2001, Jeroen Laarhoven wrote:
> > If you extend the PHPLIB session class to track IPs also, you won't have
> > this problem since sessions should be automatically destroyed if IPs don't
> > match.
>
> We've had that discussion before: see list history (IPs are not unique,
> etc.)
>
> > However, even that initial exposure of the session ID is written into the
> > server log (at least it is in Apache). Here's an example from my own
> server
> > (session ID and IP fudged a tiny bit):
> ...
> > This is a security risk, because a crafty user could use that information
> > to take over someone's session.
>
> Remember that session IDs are NOT user IDs! And they are 'logged in' only
> temporary.
>
Not to mention that is someone has access to your logfiles they probably
can also easily run tcpdump or etheral and just watch the info there. Or
just look at the db. Etc.. Etc..
-n
--
........
nathan hruby
Webmaster: UGA Department of Drama and Theatre
Project Maintainer: phpSlash, Carousel
nhruby <email protected>
........
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>
- Next message: Shawn Baker: "[phplib] PHP4 session problems"
- Previous message: Jens Benecke: "[phplib] PHPLIB Tree class question"
- In reply to: Jeroen Laarhoven: "Re: [phplib] Security Risk: Session ID in server logs"
- Next in thread: abdel: "[phplib] who to get all table"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]