Reply to Re: Can SID be trusted?

Your name:

Reply:


Posted by Bruno Rafael Moreira de Barros on 09/28/59 12:00

> Could SID be manipulated to contain something nasty instead of
> "Name_of_session_id_variable=hexadecimal_session_id", so that it might
> warrant escaping?
>
> Sebastian

Not nasty things, but session stealing. If you are an ADMIN of the
website and your SSID is 55555, and you are on the website and see
something nice to tell me, a nobody in your website, you will send:

www.mysite.com/page.php?SID=55555

And I will be on the page with Administrator Permissions. Which is
awful. I myself use Cookies for SID, so the dumb users don't make
errors like what I've just told you about.

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация