|
|
Posted by Michael Fesser on 01/05/07 13:24
..oO(knal)
>The security part: i'm "afraid" of points one and two:
>1 - if someone listens to my traffic, what use is it to try to secure
>anything? (passw, usern. could easily be picked from the traffic)
That's what SSL (HTTPS) is for.
>I'm not affraid of the third "argument", but i read upon some other
>method where the visitor forces his own Session ID, wich replaces the
>generated one. This means he can put in there (in the session info)
>whatever he likes.
That's not possible. Manipulating the data that's stored in the session
would only be possible if you made really bad errors in your script. The
session data is stored on the server and can't be accessed directly from
the client side. Of course a user can fake his session ID, but that's
not really a problem - he just gets a new and fresh session. Trying to
guess another user's session ID in order to hijack it can be considered
impossible, unless you use network sniffing or some other dirty tricks.
Micha
[Back to original message]
|