At 10:58 14-8-2002, Yasuo Ohgaki wrote:
>Hi,
>
>I guess you missed some points :)
Nope :-)
>Melvyn Sopacua wrote:
>>At 08:18 14-8-2002, Yasuo Ohgaki wrote:
>>
>>>Rasmus Lerdorf wrote:
>>>
>>>>As much as I think trans-sid sucks from a performance perspective, what's
>>>>with this comment in php.ini-dist?
>>>>; trans sid support is disabled by default.
>>>>; Use of trans sid may risk your users security. It may not be
>>>>; feasible to use this option for some sites. Use this option with caution.
>>>>session.use_trans_sid = 0
>>>>What security issue is this referring to?
>>>
>>>
>>>One of security risk is sending URL that contains
>>>active session ID to others.
>>
>>Using sessions as the only method for authentication en permission grants
>>is a security risk, regardless of the client-side storage of the session
>>ID. It's easy enough to send a cookie to somebody else.
>
>Sending cookie file or find out cookie value and send it via email
>is as easy as sending URL with session id?
>
>Will normal users notice session id in URL and get rid of it before
>send it to thier friends?
Again - security by obscurity. It does not change the fact, that
if($_SESSION['logged_in']) { 'good' } is insecure.
Using a trans-sid only makes things more transparent, which is not equal to
less secure in my book, but I know opinions vary in that area.
>>>Another is storing URL that contains session
>>>ID to history. Computer may be public one.
>>>User may access server with the same session ID
>>>always. etc
>>
>>If this is a public computer (I think you mean like in an internet cafe
>>or library) the same applies to cookies, only then it's less obvious, so
>>I'd say trans-sid is more secure.
>
>Session ID in URL can never be as secure as cookie.
>
>Using the same session id forever is secure? or asking users to close
>browser is as easy as asking find and delete history/bookmark? (Obviously,
>I'm assuming use of session cookie here)
Again - this does __not__ change the fact, that sensative information
should not be stored in sessions, cause that's the real problem.
And if it's not sensative information that's stored, who cares that
somebody else uses the session id.
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
