Posted by Sebastian Lisken on 10/21/50 12:00

I wrote:
> > I also know that the session ID can be
> > transmitted via a query string parameter or via a cookie if the browser
> > permits it. I presume you know that SID reverts to an empty string in
> > the latter case.

Captain Paralytic <paul_lautman@yahoo.com> wrote:
> Not what I have seen.

You can read http://php.net/manual/en/ref.session.php �f you need to be
convinced there. Now, could we get back to the subject? If you remember,
I'm wondering if SID can be manipulated by an attacker to contain
something that might need escaping when included in HTML such as in

<a href="script.php?<? echo SID; ?>">

Any opinions on that particular subject are more than welcome still, but
I'm beginning to believe that no escaping (i.e. "treating" the value with
rawurlencode or htmlentities) is required.

Sebastian

• Next in forum: Re: Can SID be trusted?
• Prev in forum: Re: How to submit a form when user presses Enter key
• Thread view: Re: Can SID be trusted?

[Reply to this message]