Re: [Phplib-users] new Session4 changes

[Giancarlo <gia...@na...>]

> If session hijacking is of concern, the site must be running SSL.

There are two classes of worry.
The first is that anyone, withouth any skill or tool, can propose an url 
that already contains a session_id, that he will later steal. For this 
SSL won't do anything. To this same class of malice are cross site 
scccripting injections, that will exec Javascript an post the cookies to 
someone else. These are all artigianal tools, quite simple to use.

The second class of worries is that someone can be sniffing packets. But 
if this is the case, sessio_id stealing is  really little to worry 
about, because the guy has already spoofed the DNS  and is virtually in 
control of the server, so he's probably not intereseted too much in what 
is passing through  httpd. You are already cooked all the way ;-)

What worries most is the first class of cracks, because they are so damn 
easy that any computer illiterate can rig it up just by menas on an URL 
of by posting a js tag.

I read something bad about the 'Apache' cookie (mod usertrack?), saying 
that it was only adapt to track behaviours but not for security. Dunno 
the SSL_SESSION_ID, but the plain apache session id (?Apache=) contains 
a part with the IP. I tried already to stck on that in stead of PHP4, 
but I stopped after reading about this.


> In which case perhaps the SSL_SESSION_ID Apache Environment Variable
> would be a better thing to track than IP address?
> 
> I'm not sure under what circumstances that would be re-negotiated
> though!
> 
>  ...R.
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Get the new Palm Tungsten T 
> handheld. Power & Color in a compact size! 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> _______________________________________________
> Phplib-users mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phplib-users
>