Re: Is it common to use session.use_trans_sid?

Chung Leong wrote:

Erwin Moller wrote:
So url rewriting doesn't give less or more security than cookie based
PHPSESSID transport...

I think you forgot about the HTTP Referer header. If your site have any
external links--or worse, links to external images--then the session ID
is easily compromised if it sits in the URL.

Yes, add that the the list of possible problems. :-)


There are two possible extra things to pay attention to:
a) On shared hosting environments, on most setups, anybody with access on
that server can read the the filenames and content of cookies belonging
to other sites. So if somebody on the same server want to be a bad guy,
they can just steal sessions.

Just the contents of the session file, not the cookie.

The name of the file reflects the sessionid.
So both are comprimised...


So my advise would be to just use session.use_trans_sid to support cookie
disabled browsers while not giving away security (since the security is
low already).

trans_sid doesn't work very well, especially when your site makes use
of Javascript. My advise is to turn it off, since using the feature
means doubling your QA time. Someone savvy enough to disable cookie is
probably savvy enough to make an exception for your site.

I don't get that Cheong, what goes excactly wrong with JS in combination
with trans_sid? I use btoh a lot, so I am curious what you mean.

Regards,
Erwin Moller


.

Relevant Pages

  • Re: Is it common to use session.use_trans_sid?
    ... Just the contents of the session file, not the cookie. ... disabled browsers while not giving away security (since the security is low ... probably savvy enough to make an exception for your site. ...
    (comp.lang.php)
  • deadline for Usenix Security extended to Friday, Feb. 1st
    ... Technical Sessions: August 7-9, 2002 ... interested in the latest advances in security of computer systems. ... This symposium will last for four and a half days. ... sessions including refereed papers, invited talks, works-in-progress, ...
    (comp.security.misc)
  • deadline for Usenix Security extended to Friday, Feb. 1st
    ... Technical Sessions: August 7-9, 2002 ... interested in the latest advances in security of computer systems. ... This symposium will last for four and a half days. ... sessions including refereed papers, invited talks, works-in-progress, ...
    (comp.security.unix)
  • [REVS] Cross Site Cooking
    ... Get your security news from a reliable source. ... On sites where authentication data is tied on a server to a session ID, ... Let's begin with a quick primer on cookie parsing: ... For security purposes, the browser ...
    (Securiteam)
  • Re: Best Practices on Web based email ?
    ... What is the best practice advice from a ... > Security Architect ... hijackable, sessions time-out and require the user to reauthenticate, ... Symantec is the Diamond sponsor. ...
    (Security-Basics)