[snip]
> ... Short of any severe bugs in PHP's core, there is no way for a > user of your Web application to modify session data ...
[/snip]
It seems that statement is not completely correct considering the topic discussed in the paper 'Session Fixation Vulnerability in Web-based Applications' (http://secinf.net/uplarticle/11/session_fixation.pdf). I am also interested in the session security issue so any comments on that publication are welcome.
hth,
Boyan --
Chris Shiflett wrote:
--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
In all honesty I don't know enough about how one would go about attempting to hack the values of a session other than through hacking into the session files, so if anyone has any input on this please pass it along.
Well, you basically hit the nail on the head (which means you're right, in case that phrase makes no sense to anyone).
Short of any severe bugs in PHP's core, there is no way for a user of your Web application to modify session data. This data can be modified by you (so users can potentially modify session data if you have a flaw in your logic, notably $_SESSION['foo'] = $_GET['foo']), or by physical access to the session data store (/tmp, a database, or whatever).
So, as far as writing PHP goes, concern yourself with ensuring all data is filtered prior to being stored in the session. A strict naming convention can help here.
As far as the environment goes, there are of course many more factors, but you basically want to protect your session data store as you would personal user data or anything else like that.
Hope that helps.
Chris
===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
