Posted by Jerry Stuckle on 05/28/06 01:28

julianmlp@gmail.com wrote:
> Janwillem Borleffs wrote:
>
>>julianmlp@gmail.com wrote:
>>
>>>I think through this kind of procedure is hard to hijack an user
>>>session.
>>>What do you think?
>>>
>>
>>You can test this yourself by faking the HTTP request send to the server
>>from another machine using a valid session ID.
>
>
> Well, I already tried it, and it doesn't work at all. I mean, only
> pasting the url in the browser's address bar of another computer, the
> user can't authenticate, beacause the cookie isn't there, so in some
> way I could say that it is working well.
>
> What I was wondering is: Is there any (simple/easy) way to hijack a
> cookie remotely? (to be afraid of)
>

Not unless you can intercept the packets somewhere between the server and the
client, or have access to the server file system (assuming you are using the
default session handler in PHP).

The session id is a random string of 32 alphanumeric chars - virtually
impossible for anyone to guess.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]