[Phplib-users] session stealing and fallback_mode=get
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] session stealing and fallback_mode=get
|
From: Giancarlo P. <gia...@na...> - 2002-05-29 15:13:16
|
You all probably know that anyone can be forced to an hijackable session just by offering him to click on a link like http://whatever.com/whatever.php3?Example_Session=friendsonly ?? This case shows cookies to be a secure choice. I am sure there's something wrong in the code, because even if 'get' is the intended mode as a 'fallback', here we not only force the session, but the mode too. I think that if 'cookie' is set and cookies are on, it should definitely use them. While it seems to be driven into the fallback mode when the session is present in the URL. I am afraid this is a fault, and should be fixed. It should be stressed that mode=get should be disabled for security and by default, and use only in restricted environment Giancarlo |
