Hello Group, I've noticed something about PHP sessions. Or rather, something that seems to be missing. Perhaps someone can comment on whether this may become an issue, and whether it needs to be addressed...
I've noticed that sessions are stored under ONE cookie or URL variable. Other languages (ColdFusion for instance) use two. Here's why: Say a hacker visits your site, and notices that you're storing SESSID or SID or whatever the config is named... they can then hit your site with a whole bunch of numbers until they get a session that hasn't expired yet. At that point the session is hijacked. Going back to the comparison with ColdFusion, there is a second variable. For example let's call them $SID (the actual session ID) and $SCH (Something I just made up to stand for "Session Check"). Session check is a one-way hash (MD5 for example) of the session ID, with a secret password stored securely someplace outside the web-accessible directory structure. What happens then, is every time a session is enabled at the start of a file, the $SID is retrieved, and $SCH is recalculated and checked against the one that was sent in (via $_COOKIE or $_GET). If they don't match, then it's a possible hijack attempt. I'm thinking that the best way to implement something like this seamlessly would be with custom callback functions as defined in session_set_save_handler() I'm on 4.3.x ... (none of my outsourced hosts are up to 5 yet). Thoughts/comments? I know the ColdFusion-style SID/SCH scheme certainly isn't foolproof either... it won't detect someone who has managed to snag a passing SID _and_ SCH for instance (the only sure way I can think of to prevent that would be via SSL?). But it _is_ an effective way to keep someone from trying random session ID's until they find one that's active. -- Best regards, Gunther mailto:[EMAIL PROTECTED] Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
