Minal:
It could be hacked, yes. But it should work like this:
first the site should call for a Cookie. If the browser refuses
the Cookie, *then* it checks the URL. To "steal" someone else's
session, an end user would have to guess another user's "session
id", which should be *really* hard (since it's, what, a 20 digit
string?). It'd be next to impossible once the server is running
on https.
The important part is retiring session id's from the
database as soon as possible. So when someone logs out, we should
not only flush their session id, but we should check the timestamps
on all active session id's, and flush the ones that have been idle
for an hour or more.
-Scott
On Fri, 7 Feb 2003, Minal Amle wrote:
> Hello Scott,
>
> While testing the session handling, I found that the session id created by
> Apache::Session could be hacked. So displaying the session id in the URL could again
> be a disaster. One solution to this could be to use post method for every click, so
> that we will not need to pass the id as query string to the URL. Please suggest me
> whether we could go for this solution?
>
> Thanks and Regards,
> Minal Amle
> Software Engineer
> OAS Information Systems Pvt. Ltd.
> #2, Symphony-C, Range Hills Road,
> Pune 411020
> Tel: +91 20 5520311
> Fax: +91 20 5520312
> Email: [EMAIL PROTECTED]
> http://www.oas.co.in
>
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Kaboodle-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/kaboodle-devel
