|
Posted by Jerry Stuckle on 10/17/02 12:00
Sebastian Lisken wrote:
> I wrote:
>>> I also know that the session ID can be
>>> transmitted via a query string parameter or via a cookie if the browser
>>> permits it. I presume you know that SID reverts to an empty string in
>>> the latter case.
>
> Captain Paralytic <paul_lautman@yahoo.com> wrote:
>> Not what I have seen.
>
> You can read http://php.net/manual/en/ref.session.php íf you need to be
> convinced there. Now, could we get back to the subject? If you remember,
> I'm wondering if SID can be manipulated by an attacker to contain
> something that might need escaping when included in HTML such as in
>
> <a href="script.php?<? echo SID; ?>">
>
> Any opinions on that particular subject are more than welcome still, but
> I'm beginning to believe that no escaping (i.e. "treating" the value with
> rawurlencode or htmlentities) is required.
>
> Sebastian
>
>
You're correct that SID is not set if the session id was stored in a
cookie. However, the question is - why are you even doing this? If
properly configured, PHP handles sessions quite well. All you need to
do is issue a session_start() at the beginning of each page where you
use sessions.
And sure, anything CAN be manipulated - theoretically. But the default
PHP session id is a long alphanumeric string. It would be virtually
impossible to manipulate it unless you were somewhere in the path
between the client and the server. And not even then if it's a secure
connection.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|