Posted by Erwin Moller on 01/05/07 14:58

Michael Fesser wrote:

> .oO(knal)
>
>>The security part: i'm "afraid" of points one and two:
>>1 - if someone listens to my traffic, what use is it to try to secure
>>anything? (passw, usern. could easily be picked from the traffic)
>
> That's what SSL (HTTPS) is for.
>
>>I'm not affraid of the third "argument", but i read upon some other
>>method where the visitor forces his own Session ID, wich replaces the
>>generated one. This means he can put in there (in the session info)
>>whatever he likes.
>
> That's not possible.

Hi Misha,

I think he is refering to 'session fixation' when he writes about 'forcing a
sessionid on another user'.

A link on php.net is provided on:
http://nl3.php.net/manual/en/ref.session.php
under the chapter 'Sessions and security'.

Regards,
Erwin Moller

Manipulating the data that's stored in the session
> would only be possible if you made really bad errors in your script. The
> session data is stored on the server and can't be accessed directly from
> the client side. Of course a user can fake his session ID, but that's
> not really a problem - he just gets a new and fresh session. Trying to
> guess another user's session ID in order to hijack it can be considered
> impossible, unless you use network sniffing or some other dirty tricks.
>
> Micha

[Back to original message]