Re: [Phplib-users] cookie_mode, fallback_mode, security
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] cookie_mode, fallback_mode, security
|
From: Giancarlo P. <gia...@na...> - 2002-06-13 12:27:38
|
D Rothe wrote: > > Basic question here:- > Could someone briefly explain why having a SID in the URL is so much more > vulnerable to interception than being passed back via a cookie? (I > did not understand Sascha Schumann's 'social engineering' reasoning) If, > say, the connection is secure is not 'all' the data (including all the > URL) also encrypted? this is not aproblem of transport, but initiation, that happens before. Its behaviour is the same whatever. in fact as it is now, it is impossible to set php in that way. I attach you my interpretation of the meaning of session.use_cookies, as I wrote to Sascha Schumann. This supposes that you can know if a session preexisted. But I am not too concentrated today ;-) so maybe you can check it for logic? Sent it anyway... Giancarlo > Sorry to annoy you. > > You say that a proper interpretation of > session use_cookies > mean > "If cookies are enabled, PHP will use them" (cfr)? > > In a session environment can't you (we) simply trigger the change > of a 'mode' session environment? That would limit the possibility to > downgrade, and limit the use of mode 'get' only among clients with > cookies disabled, which fits exactly the interpretation given. > > This supposes that, knowing neither how to read nor how to write, if you > find a SID in the url you try to use cookies *anyway*. > With this respect I noticed a difference in behavior among these > versions: > > php 4.06 gets the SID from the URL, but leaves a cookie and keeps on > relying on that > > php 4.2.1 gets the sid from the URL, leaves no cookie and keeps relying > on the SID in url. > > The behavior of 4.06 was more sane. > > Giancarlo > |
