|
|
Posted by Curtis on 01/06/07 10:20
Check out the session_regenerate_id function. This could help you out
with session fixation.
See: http://php.net/session_regenerate_id
On Jan 5, 8:36 am, "knal" <knalp...@gmail.com> wrote:
> Yes Erwin, i meant 'session fixation', but couldn't recall the term...
>
> On 5 jan, 09:58, Erwin Moller
>
> <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> > Michael Fesser wrote:
> > > .oO(knal)
>
> > >>The security part: i'm "afraid" of points one and two:
> > >>1 - if someone listens to my traffic, what use is it to try to secure
> > >>anything? (passw, usern. could easily be picked from the traffic)
>
> > > That's what SSL (HTTPS) is for.
>
> > >>I'm not affraid of the third "argument", but i read upon some other
> > >>method where the visitor forces his own Session ID, wich replaces the
> > >>generated one. This means he can put in there (in the session info)
> > >>whatever he likes.
>
> > > That's not possible.Hi Misha,
>
> > I think he is refering to 'session fixation' when he writes about 'forcing a
> > sessionid on another user'.
>
> > A link on php.net is provided on:http://nl3.php.net/manual/en/ref.session.php
> > under the chapter 'Sessions and security'.
>
> > Regards,
> > Erwin Moller
>
> > Manipulating the data that's stored in the session
>
> > > would only be possible if you made really bad errors in your script. The
> > > session data is stored on the server and can't be accessed directly from
> > > the client side. Of course a user can fake his session ID, but that's
> > > not really a problem - he just gets a new and fresh session. Trying to
> > > guess another user's session ID in order to hijack it can be considered
> > > impossible, unless you use network sniffing or some other dirty tricks.
>
> > > Micha- Tekst uit oorspronkelijk bericht niet weergeven -- Tekst uit oorspronkelijk bericht weergeven -
Navigation:
[Reply to this message]
|