Join Up! 104882 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Resizing Images with PHP and Mogrify In Case You Missed It...The Week of February 20, 2006 Graphing with PHP and GD HTML_Graphs Introduction to PHP5

php3-list | 200003

From: Josh Hartmann (josh <email protected>)
Date: 03/31/00

• Next message: Nick Zukin: "[PHP3] Macintosh PHP Editor (was: Re: [PHP3] Visual Editor?)"
• Previous message: Chris Carbaugh: "[PHP3] RE: Problem with cookies"
• In reply to: Sascha Schumann: "Re: [PHP3] Session Management"
• Next in thread: Sascha Schumann: "Re: [PHP3] Session Management"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is another exposure in putting the SID into the URL. It will show up
in the referrer log of any site that is clickable from your site. So if you
are protecting any sensitive information with sessions, you are advised not
to put the SID in the query string (as well as any other sensitive data).

-Josh

-----Original Message-----
From: Sascha Schumann [mailto:sascha <email protected>]
Sent: Friday, March 31, 2000 3:46 PM
To: Jeff Schwartz
Cc: PHP List
Subject: Re: [PHP3] Session Management

On Fri, Mar 31, 2000 at 12:27:29PM -0800, Jeff Schwartz wrote:
> For non-cookie based sessions, passing an ID in a form works great. But
> what about regular clickable URLs? The session ID is exposed. Someone at
> the next desk could type it in and become that user.

Heh. A new type of "eavesdropping." Unless you are robot, I don't think
you can memorize a string with 32 chars in one second.

> Is there any way to safeguard against that?

You can prevent real eavesdropping only using SSL/TLS.

- Sascha

-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Nick Zukin: "[PHP3] Macintosh PHP Editor (was: Re: [PHP3] Visual Editor?)"
• Previous message: Chris Carbaugh: "[PHP3] RE: Problem with cookies"
• In reply to: Sascha Schumann: "Re: [PHP3] Session Management"
• Next in thread: Sascha Schumann: "Re: [PHP3] Session Management"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs