|
|
Posted by Jerry Stuckle on 01/18/08 02:27
Sebastian Lisken wrote:
> Jerry Stuckle <jstucklex@attglobal.net> wrote:
>> Until the next time your session gets stolen because someone put the
>> session id in SID...
>
> Oh, for crying out loud - are you just teasing me? Do you refuse to
> take in what I'm trying to make you see? Or could you please explain
> how "someone" can "put the session ID in SID"?
>
Very simple. Some programmer comes along and sees there isn't anything
in SID - and, not knowing any better, gets the session id and places it
in there. Do you think you're the only one who well ever work on these
scripts?
> If cookies are used (which we all agree is the best option), then SID is
> empty. Read The Fine Manual.
>
Yep. But that doesn't mean you should increase your exposure. And if
cookies are not active, PHP handles it for you, anyway.
> If SID does contain the session ID then PHP has decided not to use
> cookies to propagate the session ID.
>
> If that is true, then one of the following is true:
>
> - session.use_trans_sid - which you advocate - would add the very same
> thing to link addresses automatically that I am adding via SID
>
> - or you propose not propagating the session ID via a GET parameter at
> all, in which case please tell me what your alternative is (remember,
> the premise is that cookies are not accepted by the browser).
>
I say don't do it at all for important stuff - like private logins. If
cookies aren't accepted, they can't use the site. For sites where it
really doesn't matter if the session id is propagated or not, I let them
use cookies or not.
> IF, however, the browser accepts cookies, then SID does NOT contain the
> session ID.
>
> So where is the added risk?!
>
> Sebastian
>
>
Again - some stupid programmer who doesn't know enough not to screw with
SID gets the session id and places it in there/
But that's OK. It's your code. Your exposure. And your code that
someone else will see at some point in time. If you don't care about
any of that, it's no skin off my back.
We tried to tell you. All you've done is argue. So have fun - but
don't come crying to us when someone hacks your system.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|