Thanks for the links
I am on shared hosted server and found when reading
"If the cookie's path is set to '/' (the whole domain), then any website on
the same domain (might be lots of websites) _will_ get the cookie through
HTTP headers and could possibly hijack your session."
How can this be avoided in this a situation with shared hosting or not?
I have
Webroot/
public_html/
/app1
/app2
Dave
-----Original Message-----
From: mark_story [mailto:[email protected]]
Sent: October-04-09 1:57 PM
To: CakePHP
Subject: Re: Session / Security
You also should read up on Session Fixation, Session hijacking, and
http://en.wikipedia.org/wiki/Session_fixation
http://en.wikipedia.org/wiki/Session_hijacking
Which kind of reference each other but you get the idea.
-Mark
On Oct 3, 5:39 pm, Bert Van den Brande <[email protected]> wrote:
> You might want to read this
> :http://be2.php.net/manual/en/session.security.php
>
> On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com <
>
>
>
> [email protected]> wrote:
> > Right on.
>
> > In my app nothing is passed in the url all my non-private areas are
> > like /manage/profile or /manage/account as everything related to the
> > user is obtained by auth ID of the logged in user and getting the
> > info based on that.
>
> > So i was just wondering if someone did get the session, how would
> > they do it and ways to prevent it.
>
> > Thanks
>
> > Dave
>
> > ------------------------------
> > *From:* Bert Van den Brande [mailto:[email protected]]
> > *Sent:* October-03-09 6:40 PM
> > *To:* [email protected]
> > *Subject:* Re: Session / Security
>
> > I'm no expert on the subject, but I think session can be hijacked by :
> > * 'stealing' a sessions id from the url. This is only possible if
> > the user browser doesn't use cookies so the session id is visible in
> > the url
> > * stealing a session cookie
>
> > In either cases, logging the user's ip would increase security imho.
>
> > I'm interested in other opinions :)
>
> > On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com <
> > [email protected]> wrote:
>
> >> Not quite sure how this works but how does one steal a session?
>
> >> I have my session info stored in the database... if i added ip to
> >> the session so it also checks that the session ip matches the user
> >> ip would that increase the session sucurity? What a safe guards /
> >> good practsise to secure session data?
>
> >> Thanks
>
> >> Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
