|
|
Posted by Jerry Stuckle on 12/17/82 11:54
Richard Levasseur wrote:
> Jerry Stuckle wrote:
>
>
>>Of course, if you go and manually edit the session id you're going to
>>get an identical session. What else do you expect?
>>
>>But under normal conditions two browsers should not be getting the same
>>session id. It's a long (32 char, IIFC) hex value which shouldn't be
>>duplicated - and shouldn't be guessable by chance.
>>
>>
>
>
> This also illustrates the use of having a good session_id generator.
> Its not impossible to guess a session id using brute force and
> statistics. Of course, the attacker needs to generate a large number
> of session ids to figure out what ones are possibly active, then figure
> out which of those have information he wants. The chances of that are
> relatively remote, but not out of the realm of possibility. If you're
> really worried about security that much, then its something to keep in
> mind.
>
Yes, but if you're that worried about security you should have a
dedicated server and perform your own session handling and not leave it
to PHP's default handling.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|