Posted by Erwin Moller on 11/16/06 17:20

Chung Leong wrote:

> Erwin Moller wrote:
>> So url rewriting doesn't give less or more security than cookie based
>> PHPSESSID transport...
>
> I think you forgot about the HTTP Referer header. If your site have any
> external links--or worse, links to external images--then the session ID
> is easily compromised if it sits in the URL.

Yes, add that the the list of possible problems. :-)

>
>> There are two possible extra things to pay attention to:
>> a) On shared hosting environments, on most setups, anybody with access on
>> that server can read the the filenames and content of cookies belonging
>> to other sites. So if somebody on the same server want to be a bad guy,
>> they can just steal sessions.
>
> Just the contents of the session file, not the cookie.

The name of the file reflects the sessionid.
So both are comprimised...

>
>> So my advise would be to just use session.use_trans_sid to support cookie
>> disabled browsers while not giving away security (since the security is
>> low already).
>
> trans_sid doesn't work very well, especially when your site makes use
> of Javascript. My advise is to turn it off, since using the feature
> means doubling your QA time. Someone savvy enough to disable cookie is
> probably savvy enough to make an exception for your site.

I don't get that Cheong, what goes excactly wrong with JS in combination
with trans_sid? I use btoh a lot, so I am curious what you mean.

Regards,
Erwin Moller

[Back to original message]