Reply to Re: Can SID be trusted?

Your name:

Reply:


Posted by Jerry Stuckle on 10/25/88 12:01

Sebastian Lisken wrote:
> Jerry Stuckle <jstucklex@attglobal.net> wrote:
>> It means more code, higher maintenance costs and opens the session to
>> stealing.
>
> There's something I don't seem to be able to get into yours our Micha's
> head, however hard I'm trying.
>
> So, I'll have say it again:
>
> If PHP uses cookies for session management (because it is configured to
> try and the browser allows it), SID is an empty string.
>
> Therefore:
>
> If cookies are used, no SID in server logs, links, bookmarks ... etc.
>
> Therefore:
>
> Using SID does not increase the risks of session stealing. The risk is
> there, I am aware of it. But I'm not increasing it in the slightest by
> using SID in the described way.
>
> Okay?
>
> Now I'm happy to discuss session stealing for fixation, measures against
> that. Or Jerry's other arguments against using SID, which have their
> merit. (Well, not cost in this case, because here *removing* all those
> SIDs would be costly.) Just as along as we're clear:
>
> Using SID does not increase the risk of sessions ending up as part of
> URLS.
>
> Sebastian
>
>

Until the next time your session gets stolen because someone put the
session id in SID...

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация