Re: Reality Check: Session Hijacking

From: mrbog (dterrors_at_hotmail.com)
Date: 05/08/04 

Date: 7 May 2004 18:09:39 -0700

Daniel Tryba <news_comp.lang.php@canopus.nl> wrote in message news:<c7fvlg$nn7$1@news.tue.nl>...
> Everything in a http request/response isn't secure. If someone is
> sniffing data (kind of man-in-the-middle attack) your screwed unless all
> data is being encrypted (with something like ssl). But hte problem in
> most cases isn't sniffing... it's crosssite scripting bugs enabeling
> potential harmful (java)script to send data to a 3rd party, this script
> isn't limited to cookies...
>
> It's a shame you're not responding to my suggestion not to use static
> data in the post fields... because your solution is nothing more than
> disabling sessioncookies and putting the session identifier in forms
> (which php already has support for AFAIK).

You're closer, but what you're talking about is each user having two
session cookies. Or, you're talking about all apps on the site that
use sessions being over https, and the http apps/pages couldn't have
sessions. One of the two. In PHP.ini I only see one way to specify
cookie name:

; Name of the session (used as cookie name).
session.name = PHPSESSID

Can I have two distinct sessions per user with php?

In any case, once again, that's not what that zend site says to do.
They're promoting Adriaan's insecure way.

thanks for weighing in

Relevant Pages

  • Re: Is it possible at all to secure an unencrypted website?
    ... Session cookies or cookies that supply authentication information are just as easily intercepted as query string parameters if the plaintext HTTP data can be sniffed. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cookie not conserved across jump
    ... just leads to another HTTP request. ... If you also allow the session ID to ... A browser just sends the cookies it received before (let aside JS- ... You can check with Firefox' Live HTTP Headers (or HTTP ...
    (comp.lang.php)
  • Re: Firewall session disconnects after 2 minutes of inactivity
    ... I want to start by pointing out the following: HTTP keep-alives and anything ... involved in the early stage of the connection when the client downloads the ... The HOD server I mean. ... when the session takes place through the ISA Server? ...
    (microsoft.public.isa)
  • Re: Sessions/Cookies between sites
    ... https sites (if the HTTP and HTTPS pages are in the same IIS application, ... used to be possible to share session state, I don't know if that was a bug ... I haven't tried it since IIS 4). ... If cookies are not set to expire or they return before the cookie expires ...
    (microsoft.public.inetserver.asp.db)
  • Re: Opinion sort re user authentication ?
    ... Tony Benham wrote: ... I'm not storing financial data or anything very sensitive. ... known as "session based" or "form based" because it doesn't use HTTP ...
    (alt.php)