You are here: Re: Can SID be trusted? « PHP Programming Language « IT news, forums, messages
Re: Can SID be trusted?

Posted by Jerry Stuckle on 11/03/44 12:00

Christian Welzel wrote:
> Sebastian Lisken wrote:
>
>> guess that the code was developed in a context where it wasn't. As it
>> turns out, on my WAMP 5 installation it is disabled too. I've enabled
>
> This is what the debian php5.ini says about use_trans_sid:
>
> ; trans sid support is disabled by default.
> ; Use of trans sid may risk your users security.
> ; Use this option with caution.
> ; - User may send URL contains active session ID
> ; to other person via. email/irc/etc.
> ; - URL that contains active session ID may be stored
> ; in publically accessible computer.
> ; - User may access your site with the same session ID
> ; always using URL stored in browser's history or bookmarks.
> session.use_trans_sid = 0
>
> So your <a href="script.php?<? echo SID; ?> opens your application
> to exactly the facts mentioned above as it mimics session_trans_sid.
>

Yea, some of the Debian people aren't very smart. That's why I always
compile my own PHP on Debian and have my own configuration file. And
even if it isn't enabled, it's quite easy to enable.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация