--- "Matthew A. Blasinski" <[EMAIL PROTECTED]> wrote: > My question - what is the best way to "know" the session id between > pages? Posting it in the URL and using $_GET["PHPSESSID"] is one > solution, but this seems like a hassle and is also open to attack if > someone could "guess" a valid session ID.
As a side note, you should probably use a word like "put" to describe placing data in the URL like that, because "post" refers to a different method altogether. :-) As for session IDs, there are basically three ways you can have the client send that to you: 1. In a Cookie header 2. In the URL 3. In the content section (POST) These are all quite open to attack, especially over non-SSL connections (which is the more popular case). In your case, cookies are probably not an option if you are dealing with multiple domains. At the very least, they can only help to track a session on one domain, and you'll have to develop a way to transfer the session across domains anyway. POST is sort of a hassle, because you have to make sure every request from your users is a POST. So, sending data in the URL is probably your best choice. Try to focus on two tasks as you try to secure this data transfer: 1. Try to make the session ID hard to get and hard to guess. 2. Try to make a stolen session ID useless to anyone but the rightful owner. Too often, developers try to focus on (and depend on) task 1. While trying to keep session IDs secret is good, task 2 is at least equally as important. How do you achieve this? Consider an HTTP request from your legitimate user: GET /blah.php?session_id=1234 HTTP/1.1 Host: example.org User-Agent: Mozilla (Gecko) Linux 2.4.1.2.3.4 There are usually many more headers, but this example will suffice. Now, depending on specific HTTP headers is never a good plan (you might notice people warning against depending on the Referer header), but this is only if you do this for every user. The headers that the *same* user sends are going to be much more consistent. In the above example, you can be pretty certain that, regardless of HTTP proxies or anything else, the user is going to send the same User-Agent header in each request. So, why not store this in the session (on the server), and check to make sure it matches every time? This approach shouldn't adversely affect your users, but it should complicate impersonation. And that is how you play the game of security - try to make things easy for the good guys and hard for the bad guys. By adding this simple User-Agent check, a bad guy can't just use a stolen session ID to impersonate someone. The bad guy has to also send the same User-Agent header. Can this be done? Sure, and it's not too hard, but it is something, and everything helps. Hopefully this can get your creative juices flowing. Chris ===== Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
