i setup my sessions to be transparent, can it still be hacked ? > --- Chris Wanstrath <[EMAIL PROTECTED]> wrote: >> Lots of great information in this thread as far as solutions go, but >> what I'm wondering is the concept behind how someone actually can >> hijack a session if register_globals is off. > > I proposed a talk on this at ApacheCon (in addition to my PHP Attacks > and Defense talk), but it wasn't accepted. I can never tell if there is > a lot of interest in the idea of securing sessions or not. I think most > people think it is too narrow a topic. > > At any rate, there is too much information to write in an email, but > there are many methods of impersonation, and almost all of them are > independent of whether register_globals is enabled. > > For example, consider that a legitimate user clicks a link and goes to > this URL: > > http://www.example.org/foo.php?PHPSESSID=12345 > > Perhaps the user has cookies disabled, so PHP appends the session > identifier to the URL, or perhaps the developer does it automatically. > Either way, what if a bad guy visits this URL: > > http://www.example.org/foo.php?PHPSESSID=12345 > > Will the application recognize the user as the same as the legitimate > user? PHP certainly will, but it is up to the application to try and > lessen the likelihood of such an attack. > > Hope that helps. > > Chris > > ===== > My Blog > http://shiflett.org/ > HTTP Developer's Handbook > http://httphandbook.org/ > RAMP Training Courses > http://www.nyphp.org/ramp > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php