Posted by pim on 10/15/39 12:00

On 17 jan, 12:01, Dikkie Dik <dik...@nospam.org> wrote:
> > For example:
> > - A user logs in
> > - Now set is: $_SESSION["user_id"] = 34;
> > - If he opens his "Profile page", the websites collects all personal
> > information from table users where user_id = 34
>
> > But according to this article:
> >http://www.governmentsecurity.org/archive/t13901.html
>
> > It is easy to change $_SESSION["user_id"] to for example 78.
> > So, that means that once you are logged in and change your own
> > user_id, you can see personal information from other users.
>
> I did not see that example. The cookie part of that page is very
> unspecific, and has little to do with session cookies.
>
> Google for "session hijacking" and "session fixation" to find out more.
>
> In short, it is possible to pass another session id, thus changing to
> another session. There is one thing that prevents it:
>
> Session IDs are rather large, and sessions do not live that long. So
> switching over to a random other session requires an absurd quantity of
> luck.
>
> However, if you can intercept the http traffic, you can mess up as much
> as you like. You can send regular requests to the webserver with a
> cookie to keep that session open.
> If you build the site on https instead of http, the cookies will be
> encrypted also.
>
> A "real" session cookie only has an ID to a session, not live data. That
> data remains on the server if you do not send it to the client. In fact,
> I think the session is safe to store real IDs, but parameters are not.
> So I usually hash all IDs before using them for client communication.
>
> Best regards

Thanks for your reply!
I now understand I must have confused cookies and session.

How does your suggestion on hashing ids work?

Like this: profilepage.php?uid=7sy6fsnyfm984oym3oyowiuyrowr432
and server side: SELECT * FROM users WHERE md5(users.user_id) =
$uid;

Or more like this: SELECT * FROM users WHERE users.uidhash = $uid;


Kind regards,


Pim

[Back to original message]