Hi Shaun,

> If i use sid in the url , is it dangerous - 
> can hackers gain info on important variables 
> storing username and passwords or is it save 
> to use , if not what should i do.

Theoretically, if you guess or sniff someone's session ID, you can hijack
their session. That doesn't mean you can find out the contents of every
variable if they're not displayed; you'd need to compromise the web server
for that (and if someone can get onto your server, you have bigger problems
than session hijacking).

What can you do? <shrug> Live with it or serve over HTTPS, I suppose.
Nothing that travels via vanilla HTTP is secure. You can minimise the
likelihood of a  SID being *guessed* by generating your own and making them
insanely long (128 chars, for example), but IMHO that's overkill. It might
be an idea to reduce the expiry time as well - you can do this in php.ini.

Even if you do have a session hijacked, you can limit any damage by good app
design: for example, don't stored passwords in the session and then have a
header at the top of every page saying "hello $username, your password is
$password" :-)


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to