Posted by Sebastian Lisken on 11/04/50 12:00
I wrote:
> > I also know that the session ID can be
> > transmitted via a query string parameter or via a cookie if the browser
> > permits it. I presume you know that SID reverts to an empty string in
> > the latter case.
Captain Paralytic <paul_lautman@yahoo.com> wrote:
> Not what I have seen.
You can read http://php.net/manual/en/ref.session.php νf you need to be
convinced there. Now, could we get back to the subject? If you remember,
I'm wondering if SID can be manipulated by an attacker to contain
something that might need escaping when included in HTML such as in
<a href="script.php?<? echo SID; ?>">
Any opinions on that particular subject are more than welcome still, but
I'm beginning to believe that no escaping (i.e. "treating" the value with
rawurlencode or htmlentities) is required.
Sebastian
[Back to original message]
|