Reply to Re: Is it common to use session.use_trans_sid?

Your name:

Reply:


Posted by Erwin Moller on 11/16/06 09:51

listerofsmeg01@hotmail.com wrote:

> Hi all,
>
> Constructing my first web app, and wanted to enable
> session.use_trans_sid so that people without cookies could still use my
> site.
>
> After braving a nightmare of set_ini(), and .htaccess to try (without
> joy) to turn it on, I find when searching for help that the vast
> majority of people are trying to turn it OFF.
>
> Now I know there are potential security risks with people mailing or
> posting links with session ID's embedded, but surely support is still
> needed for non cookie people?
>
> Is it common practice now to only support cookies? Do people roll their
> own non-cookie support somehow instead?
>
> Many thanks

Hi,

In my humble opinion both URL-rewriting or cookiebased transport of the
PHPSESSID are unsafe (without encryption).
Why?
1) url rewriting: If somebody decides to send an url to somebody that
contains a sessionid, why care? They might as well send the original
username/password to enter that site to their friend.

2) cookie: Anybody that can tab into the IP-packages that go from a to b,
can also see the cookie, just as the url.

So url rewriting doesn't give less or more security than cookie based
PHPSESSID transport...

There are two possible extra things to pay attention to:
a) On shared hosting environments, on most setups, anybody with access on
that server can read the the filenames and content of cookies belonging to
other sites. So if somebody on the same server want to be a bad guy, they
can just steal sessions.
(This is not the case on all setups, if every site on the shared hosting
server has its own storageplace with good file/dir permissions, this "hack"
won't work).

b) With PHPSESSID passed through url, anybody with access to the logfiles of
the server can see the full urls. This won't happen with cookies (since
they are not stored in the logs AFAIK).

The best way to go is to use encrypted transport (https/ssl) if safety is a
concern.

So my advise would be to just use session.use_trans_sid to support cookie
disabled browsers while not giving away security (since the security is low
already).

just my 2 cent.

Regards,
Erwin Moller

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация