Re: Hiding variables passed via URL

..oO(The Natural Philosopher)

I have no trouble understanding cookies and sessions.

Its jerry's assumptions that I didn't know that irritate.

All that is needed t preserve states across a session is to have some
unique session ID. That has to be carried by a cookie or by a URL .

After that, you can associate any amount of crap with that session ID.

I simply didn't see any difference in principle between carrying the
session ID as a URL than as a cookie.

There are a dozen ways for a URL to leak (the HTTP_REFERER is just one
way), which would easily allow other sites to grab valid session IDs.
Such attacks were done some years ago against a number of big free mail
services, which led to thousands of stolen accounts.

Session cookies are much more secure, because you actually have to sniff
the HTTP communication between the clients and the server or use XSS to
grab them.

Which I pointed out. Jerry then said 'what's cookies got to do with it'
so I explained what they had to do with it.

But they don't have anything to do with the OPs problem, which was about
passing data from one page to another. POST won't work here, GET is not
wanted, so the only viable alternative is a session. Question answered.

Micha
.

Relevant Pages

  • Re: Sessions vs Cookies
    ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
    (comp.lang.php)
  • Re: session wont timeout
    ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)
  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • Re: [PHP] Question about authenticating people...
    ... Would I be better to store that in a cookie rather then a session variable? ... The search variable is not sensitive data, there's no need to keep it on the server so it's an ideal candidate for a cookie. ... Also bear in mind that the client can change the contents of a cookie at any time so you need to re-validate them on every page request. ... If you need to verify the contents of a cookie from request to request you can a) encrypt it, or b) add a checksum to it. ...
    (php.general)