Posted by R. Rajesh Jeba Anbiah on 01/19/08 16:43

On Jan 19, 6:35 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> R. Rajesh Jeba Anbiah wrote:
<snip>
> > 2. But, can fix the session id by stuffing to cookie. This way,
> > someone can use some other user's session id and can access to the
> > page--only if the default session handlers is used. Solution is to use
> > DB based session handler
>
> A DB based session handler will not solve this problem.

I mean, custom session handler with DB. It is easy to add
additional user agent, IP checks in dB based session handler.

> > 3. If the files handler is used, one can access to the session
> > files (on shared host). So, for all shared host the solution is DB
> > based session handler
>
> Not as big of a problem as someone else getting the session ID and
> getting access to the user's session. Just getting a user ID from a
> session in a file isn't going to do much good. And you shouldn't be
> storing passwords in the session, anyway.

Getting the real session ID's alone is sufficient for the session
fixation. Knowing the user ID is more useful to fix the session for
the particular user.

> You also neglect that if you're on a shared host, chances are you will
> not be able to implement db based sessions. At least not without a lot
> of work.
<snip>

No, you don't require any setting change. It's damn easy or just
find nice open source scripts.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

[Back to original message]