Posted by julianmlp on 05/28/06 01:38

Jerry Stuckle wrote:
> julianmlp@gmail.com wrote:
>
> > What I was wondering is: Is there any (simple/easy) way to hijack a
> > cookie remotely? (to be afraid of)
> >
>
> Not unless you can intercept the packets somewhere between the server and the
> client, or have access to the server file system (assuming you are using the
> default session handler in PHP).

I'm not using the default session handler.

I pass the session ID as

url_to_my_file.php?session=VALUE,

where VALUE is created from:

VALUE = md5(uniqid(rand(), true));

CookieValue = sha1(VALUE + HiddenString);


When I receive a client request, I lookup for the session AND the
cookie's value to see whether the client is logged or not.
It seems to me pretty safe, but I'm not an expert at all...

[Back to original message]