RE: [Phplib-users] Re: latest snapshot
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] Re: latest snapshot
|
From: Richard A. <rh...@ju...> - 2002-11-06 22:33:14
|
At 16:19 -0500 6/11/02, Rob Hutton wrote: > If you allow the session ID to be passed in as a string, then someone can >hijack a session by simply passing the session ID in the get string. A >cookie is much harder to insert, and since they are session cookies, they >can't easily be viewed or replicated... OK. It is trivial to insert a cookie once you know the values. You can edit your cookie file with a text editor or use curl to pass in the cookie on the command line. So, session ID discovery is really the key here. If physical access is available, concealing the session ID is meaningless because the perp can sit at that machine and continue the existing session just as easily as they could copy down the session ID from screen or run a memory scanning utility to find it. Without physical access to the user's machine, session hijacking requires sniffing the traffic to determine the session ID... in which case the GET string and the cookie would both be displayed as plain as day. However I would assume that if security is any sort of an issue then the session would be running over SSL in which case it is not a trivial matter to obtain either the GET string or the cookie and in this case I can't see why one should be preferred over another. But I must admit I've never studied this area in great depth. ...Richard. |
