lol, neither. It was from a site I had coded. I read an article
about session fixation and it seemed vulnerable based on what I read,
but when I tested it, it didn't seem to be and I wasn't sure why.
What made you think that?
On Feb 16, 2009, at 8:16 PM, Ashley Sheridan wrote:
On Mon, 2009-02-16 at 13:49 -0500, Sean DeNigris wrote:
Hi all! The following code seems like it should be open to session
fixation attacks, but is not. Why?!
This is the beginning of the private page...
header("Location: http://[address of login page]?
for this page]");
If an attacker caused a known user to request the above page with ?
PHPSESSID=1234, the session_start would then register 1234 as the
This is from the login page...
if($_POST['[a posted form var]'])
// check submitted credentials against known users
$status = authenticate(...);
// if user/pass combination is correct
if ($status == 1)
// initiate a session
// register some session variables
$_SESSION['XXXXXX] = filter($_POST['XX']);
// redirect to protected page
header("Location: ...[requested page]);
When the user logged in above, the session_start would use the
cookie from the first session_start above and have a validated
with an SID known to the attacker.
However, the top snippet does not cause an SID to be recorded in a
cookie, but the bottom one does. Hence, the attack is prevented, but
Erm, is this a trick question or your homework?
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php