Posted by Jerry Stuckle on 01/19/08 19:50

R. Rajesh Jeba Anbiah wrote:
> On Jan 19, 6:35 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> R. Rajesh Jeba Anbiah wrote:
> <snip>
>>> 2. But, can fix the session id by stuffing to cookie. This way,
>>> someone can use some other user's session id and can access to the
>>> page--only if the default session handlers is used. Solution is to use
>>> DB based session handler
>> A DB based session handler will not solve this problem.
>
> I mean, custom session handler with DB. It is easy to add
> additional user agent, IP checks in dB based session handler.
>

Yes, I know what you mean. And on a shared host, you probably will not
be able to implement a db based session handler.

Additionally, IP checks are invalid. Many corporations have one proxy
to access the internet; all computers behind the firewall have the same
external address.

Additionally, some larger corporations and ISPs use multiple proxies;
each request can come from a different IP, even though it's a single
computer. AOL is famous for this.

>>> 3. If the files handler is used, one can access to the session
>>> files (on shared host). So, for all shared host the solution is DB
>>> based session handler
>> Not as big of a problem as someone else getting the session ID and
>> getting access to the user's session. Just getting a user ID from a
>> session in a file isn't going to do much good. And you shouldn't be
>> storing passwords in the session, anyway.
>
> Getting the real session ID's alone is sufficient for the session
> fixation. Knowing the user ID is more useful to fix the session for
> the particular user.
>

That's true. But it's only good for the life of the session.

>> You also neglect that if you're on a shared host, chances are you will
>> not be able to implement db based sessions. At least not without a lot
>> of work.
> <snip>
>
> No, you don't require any setting change. It's damn easy or just
> find nice open source scripts.
>

Yes, and then you need to implement additional code on each of your
pages - code which will be very server-dependent.

If the session information is that critical, get a VPS or dedicated
server. Don't use shared hosting.

> --
> <?php echo 'Just another PHP saint'; ?>
> Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: How to visualize network
• Prev in forum: Is a static class member not restored after session reload?
• Thread view: Re: Is it safe to store user_id in Session?

[Reply to this message]