The manual has many cautions that say 'do not use session_regiister,,
session_is_registered, session_unregister, when the ini setting is
register_globals=off.
But they still do work, it seems.
Or how exactly do these function work differently than with reg_globals
On?
Can I still continue to
Nick Wilson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
* and then Chris Sechiatano declared
You have to code the PHPSESSID into your URL if your browser has cookies
disabled or else it won't work.
No. As I said, i have php compiled with --enable-trans-sid
Php
Justin French wrote:
Hi all,
About 2.30 in the morning I started kicking around an idea, based on the
recent discussions on sessions, and what --enable-trans-sid did.
From my understanding:
+ if there is no session cookie, set a cookie AND append a
session ID to URLs on the
Justin French wrote:
Hi all,
About 2.30 in the morning I started kicking around an idea, based on the
recent discussions on sessions, and what --enable-trans-sid did.
From my understanding:
+ if there is no session cookie, set a cookie AND append a
session ID to URLs on the
Can I tell you more than what the subject says?
proceeding:
Close the browser, clean all your cookies, and open any page with that
?PHPSESSID=spoofme appended.
And see what happens.
1) No cookies are left
2) a session 'spoofme' is created
Do you need more? Javascript url injection ad cross
I myself wrote:
Can I tell you more than what the subject says?
proceeding:
Close the browser, clean all your cookies, and open any page with that
?PHPSESSID=spoofme appended.
And see what happens.
1) No cookies are left
2) a session 'spoofme' is created
Do you need more?
Giancarlo Pinerolo wrote:
I myself wrote:
Can I tell you more than what the subject says?
proceeding:
Close the browser, clean all your cookies, and open any page with that
?PHPSESSID=spoofme appended.
And see what happens.
spoofme is not the exact term.
?PHPSESSID=hijackme
Why can a user force php to create a session he's giving the name in the
URL?
Do you want me to list an half a dozen ways to get rich now with this
holes?
Does anyone understand the malice of this?
Anyone can offer you a click on a session he's going to visit later and
hijack from you?
Anyone
8 matches
Mail list logo