|
Posted by Jerry Stuckle on 10/25/88 12:01
Sebastian Lisken wrote:
> Jerry Stuckle <jstucklex@attglobal.net> wrote:
>> It means more code, higher maintenance costs and opens the session to
>> stealing.
>
> There's something I don't seem to be able to get into yours our Micha's
> head, however hard I'm trying.
>
> So, I'll have say it again:
>
> If PHP uses cookies for session management (because it is configured to
> try and the browser allows it), SID is an empty string.
>
> Therefore:
>
> If cookies are used, no SID in server logs, links, bookmarks ... etc.
>
> Therefore:
>
> Using SID does not increase the risks of session stealing. The risk is
> there, I am aware of it. But I'm not increasing it in the slightest by
> using SID in the described way.
>
> Okay?
>
> Now I'm happy to discuss session stealing for fixation, measures against
> that. Or Jerry's other arguments against using SID, which have their
> merit. (Well, not cost in this case, because here *removing* all those
> SIDs would be costly.) Just as along as we're clear:
>
> Using SID does not increase the risk of sessions ending up as part of
> URLS.
>
> Sebastian
>
>
Until the next time your session gets stolen because someone put the
session id in SID...
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|