|
|
Posted by julianmlp on 05/28/06 01:38
Jerry Stuckle wrote:
> julianmlp@gmail.com wrote:
>
> > What I was wondering is: Is there any (simple/easy) way to hijack a
> > cookie remotely? (to be afraid of)
> >
>
> Not unless you can intercept the packets somewhere between the server and the
> client, or have access to the server file system (assuming you are using the
> default session handler in PHP).
I'm not using the default session handler.
I pass the session ID as
url_to_my_file.php?session=VALUE,
where VALUE is created from:
VALUE = md5(uniqid(rand(), true));
CookieValue = sha1(VALUE + HiddenString);
When I receive a client request, I lookup for the session AND the
cookie's value to see whether the client is logged or not.
It seems to me pretty safe, but I'm not an expert at all...
Navigation:
[Reply to this message]
|