Re: Can SID be trusted? — PHP Programming Language

You are here: Re: Can SID be trusted? « PHP Programming Language « IT news, forums, messages

Posted by Bruno Rafael Moreira de Barros on 10/10/59 12:00

> Could SID be manipulated to contain something nasty instead of
> "Name_of_session_id_variable=hexadecimal_session_id", so that it might
> warrant escaping?
>
> Sebastian

Not nasty things, but session stealing. If you are an ADMIN of the
website and your SSID is 55555, and you are on the website and see
something nice to tell me, a nobody in your website, you will send:

www.mysite.com/page.php?SID=55555

And I will be on the page with Administrator Permissions. Which is
awful. I myself use Cookies for SID, so the dumb users don't make
errors like what I've just told you about.

Navigation:

Next in forum: Re: problems with $_FILES
Prev in forum: Re: How to trigger an error inside a function and make it come from where it was called?
Thread view: Re: Can SID be trusted?

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация