Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Sessions where are we going??
|
From: Giancarlo <gia...@na...> - 2002-07-01 12:39:46
|
Il 14:31, luned=EC 1 luglio 2002, Donncha O Caoimh ha scritto: > Great, thanks for clearing that up. There was a small bit of mixed > communication! The issue with php4 sessions and the URL is a serious on= e, > but using cookies doesn't block it, it only makes it harder for an atta= cker > to take over a session. (They create a cookie file.. etc etc) There makes a lot of difference. Stealing a cookie is difficult, offering= a=20 'stealable' one is a lot easier. And also among 'stealable' ones, there is a difference. If you know that 'any' id can be created (and thogh re-created), you can = rely=20 that someone, once let's say has it into his bookmarks, will recreate the= =20 same id (known to the instiller from the beginning). If arbitrary id creation is not allowed, the 'instiller' has to have phhp= lib=20 generate one to him every time, and find a way to pass it again, while st= ill=20 alive, to the victim. So, not allowing the creation of id is also blockin= g a=20 good deal of social engineering. The logic that 'a horse with three legs can still walk, so it's no use' = is=20 wrong, because the next leg we cut, there will remain only two, and so on= =2E Gian |
