Hi, I guess you missed some points :)
Melvyn Sopacua wrote: > At 08:18 14-8-2002, Yasuo Ohgaki wrote: > >> Rasmus Lerdorf wrote: >> >>> As much as I think trans-sid sucks from a performance perspective, >>> what's >>> with this comment in php.ini-dist? >>> ; trans sid support is disabled by default. >>> ; Use of trans sid may risk your users security. It may not be >>> ; feasible to use this option for some sites. Use this option with >>> caution. >>> session.use_trans_sid = 0 >>> What security issue is this referring to? >> >> >> One of security risk is sending URL that contains >> active session ID to others. > > > Using sessions as the only method for authentication en permission > grants is a security risk, regardless of the client-side storage of the > session ID. It's easy enough to send a cookie to somebody else. Sending cookie file or find out cookie value and send it via email is as easy as sending URL with session id? Will normal users notice session id in URL and get rid of it before send it to thier friends? > >> Another is storing URL that contains session >> ID to history. Computer may be public one. >> User may access server with the same session ID >> always. etc > > > If this is a public computer (I think you mean like in an internet cafe > or library) the same applies to cookies, only then it's less obvious, so > I'd say trans-sid is more secure. Session ID in URL can never be as secure as cookie. Using the same session id forever is secure? or asking users to close browser is as easy as asking find and delete history/bookmark? (Obviously, I'm assuming use of session cookie here) > The 'always' factor depends on the session timeout. > Not only server side timeout, but also client side timeout is very important. That's the one of the reason why session cookie is recommended. Users can easily control life time of cookie. We also sure most users will close their browser sometimes. It's easy to ask users to close browser also. I'm not saying cookie based session is perfectly secure, but it's obvious to me that URL based session is much less secure than cookie one, especially compare to session cookie. Session cookie is the best way passing session ID. Second best is normal cookie, then URL/POST method. -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
