Posted by Sebastian Lisken on 10/03/99 12:01

Jerry Stuckle <jstucklex@attglobal.net> wrote:
> It means more code, higher maintenance costs and opens the session to
> stealing.

There's something I don't seem to be able to get into yours our Micha's
head, however hard I'm trying.

So, I'll have say it again:

If PHP uses cookies for session management (because it is configured to
try and the browser allows it), SID is an empty string.

Therefore:

If cookies are used, no SID in server logs, links, bookmarks ... etc.

Therefore:

Using SID does not increase the risks of session stealing. The risk is
there, I am aware of it. But I'm not increasing it in the slightest by
using SID in the described way.

Okay?

Now I'm happy to discuss session stealing for fixation, measures against
that. Or Jerry's other arguments against using SID, which have their
merit. (Well, not cost in this case, because here *removing* all those
SIDs would be costly.) Just as along as we're clear:

Using SID does not increase the risk of sessions ending up as part of
URLS.

Sebastian

• Next in forum: PHP & AJAX
• Prev in forum: Scan web pages and compose summary
• Thread view: Re: Can SID be trusted?

[Reply to this message]