You are here: Re: Can SID be trusted? « PHP Programming Language « IT news, forums, messages
Re: Can SID be trusted?

Posted by Jerry Stuckle on 10/17/02 12:00

Sebastian Lisken wrote:
> I wrote:
>>> I also know that the session ID can be
>>> transmitted via a query string parameter or via a cookie if the browser
>>> permits it. I presume you know that SID reverts to an empty string in
>>> the latter case.
>
> Captain Paralytic <paul_lautman@yahoo.com> wrote:
>> Not what I have seen.
>
> You can read http://php.net/manual/en/ref.session.php íf you need to be
> convinced there. Now, could we get back to the subject? If you remember,
> I'm wondering if SID can be manipulated by an attacker to contain
> something that might need escaping when included in HTML such as in
>
> <a href="script.php?<? echo SID; ?>">
>
> Any opinions on that particular subject are more than welcome still, but
> I'm beginning to believe that no escaping (i.e. "treating" the value with
> rawurlencode or htmlentities) is required.
>
> Sebastian
>
>

You're correct that SID is not set if the session id was stored in a
cookie. However, the question is - why are you even doing this? If
properly configured, PHP handles sessions quite well. All you need to
do is issue a session_start() at the beginning of each page where you
use sessions.

And sure, anything CAN be manipulated - theoretically. But the default
PHP session id is a long alphanumeric string. It would be virtually
impossible to manipulate it unless you were somewhere in the path
between the client and the server. And not even then if it's a secure
connection.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация