Posted by Sebastian Lisken on 01/17/08 23:19

Jerry Stuckle <jstucklex@attglobal.net> wrote:
> Until the next time your session gets stolen because someone put the
> session id in SID...

Oh, for crying out loud - are you just teasing me? Do you refuse to
take in what I'm trying to make you see? Or could you please explain
how "someone" can "put the session ID in SID"?

If cookies are used (which we all agree is the best option), then SID is
empty. Read The Fine Manual.

If SID does contain the session ID then PHP has decided not to use
cookies to propagate the session ID.

If that is true, then one of the following is true:

- session.use_trans_sid - which you advocate - would add the very same
thing to link addresses automatically that I am adding via SID

- or you propose not propagating the session ID via a GET parameter at
all, in which case please tell me what your alternative is (remember,
the premise is that cookies are not accepted by the browser).

IF, however, the browser accepts cookies, then SID does NOT contain the
session ID.

So where is the added risk?!

Sebastian

• Next in forum: Re: 10 Reasons Why PHP is Better than ASP
• Prev in forum: Re: exec php
• Thread view: Re: Can SID be trusted?

[Reply to this message]