--- Robert Cummings <[EMAIL PROTECTED]> wrote:
> > What is a transparent session?
>
> I don't know if it's the same for the original poster (whoever that
> is, since they were cropped :) For me it's when I bind a session
> variable to an object such that the session variable is referenced
> using
On Tue, 2003-10-21 at 15:36, Joseph Bannon wrote:
> > i setup my sessions to be transparent, can it still be hacked ?
>
>
> What is a transparent session?
I don't know if it's the same for the original poster (whoever that is,
since they were cropped :) For me it's when I bind a session variable
> i setup my sessions to be transparent, can it still be hacked ?
What is a transparent session?
J.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi,
On Tue, 21 Oct 2003 14:02:58 +1000
Tom Rogers <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Tuesday, October 21, 2003, 1:40:20 PM, you wrote:
>
> OMH> One other thing.. What's the difference in $$ for a site to be
> OMH> https rather than http?? Cos you need to get a verisign cert
> OMH> or somethi
Hi,
Tuesday, October 21, 2003, 1:40:20 PM, you wrote:
OMH> One other thing.. What's the difference in $$ for a site to be https rather
OMH> than http?? Cos you need to get a verisign cert or something?? Just
OMH> asking..
I use bulkregister.com and if you are a member the cost is $88.00 per ye
>>The encryption happens server side and is really only intended to encrypt
>>variables that are passed to web client such as product id and stuff. The
only
>>way to do secure login and prevent sniffing is to use ssl which will
encrypt the
>>traffic to and from the client. I suppose javascript coul
Hi,
Tuesday, October 21, 2003, 12:52:33 PM, you wrote:
OMH> Hi Tom,
OMH> I've got a question for you regarding this encrypt class of yours.. Just
OMH> wanted to understand how well it would work against a guy with a sniffer
OMH> such as ethereal. (presuming he's on the LAN/wifi to access the app)
Hi Tom,
I've got a question for you regarding this encrypt class of yours.. Just
wanted to understand how well it would work against a guy with a sniffer
such as ethereal. (presuming he's on the LAN/wifi to access the app)
How does the encryption happen?? Client side or server side? How does it g
--- "John W. Holmes" <[EMAIL PROTECTED]> wrote:
> > Either way, what if a bad guy visits this URL:
> >
> > http://www.example.org/foo.php?PHPSESSID=12345
>
> Called session fixation. Here's good paper on this and how to deal
> with it.
>
> http://www.acros.si/papers/session_fixation.pdf
Actuall
Chris Shiflett wrote:
For example, consider that a legitimate user clicks a link and goes to this
URL:
http://www.example.org/foo.php?PHPSESSID=12345
Perhaps the user has cookies disabled, so PHP appends the session identifier to
the URL, or perhaps the developer does it automatically. Either way,
--- [EMAIL PROTECTED] wrote:
> i setup my sessions to be transparent, can it still be hacked ?
Yes.
If you can be more specific, I will try to be more specific also. :-)
Chris
=
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
i setup my sessions to be transparent, can it still be hacked ?
> --- Chris Wanstrath <[EMAIL PROTECTED]> wrote:
>> Lots of great information in this thread as far as solutions go, but
>> what I'm wondering is the concept behind how someone actually can
>> hijack a session if register_globals is o
--- Chris Wanstrath <[EMAIL PROTECTED]> wrote:
> Lots of great information in this thread as far as solutions go, but
> what I'm wondering is the concept behind how someone actually can
> hijack a session if register_globals is off.
I proposed a talk on this at ApacheCon (in addition to my PHP Att
Lots of great information in this thread as far as solutions go, but
what I'm wondering is the concept behind how someone actually can hijack
a session if register_globals is off. Should all this encryption and
added protection be added to scripts with register_globals off and when
steps are made
--- Ryan A <[EMAIL PROTECTED]> wrote:
> Yep, I just created the session and nothing beyond. Am new to PHP
> and first time/project user with sessions.
Right. I think this needs to be made clearer in the manual myself, and I might
add something to drive the point home. PHP sessions are a mechanism,
Hi,
RA> If i declare them before using them like the above example...do you think I
RA> still need to use that class?
RA> Cheers,
RA> -Ryan
That depends on what your dicky friend is doing to screw your code up.
If you are passing ids' in the url or in post data then encode them. If he is
inven
Hi Tom,
A mighty big thanks for that class, I'll read up on classes tonight and try
to understand it.
Thanks for the tips on how to use it too.
> To help prevent problems with stuff like this it is always a good idea to
declare
> variables before using them, especially with sessions:
>
> $num = 0;
Hi,
Monday, October 20, 2003, 10:38:23 AM, you wrote:
RA> Hi Tom,
RA> Thanks for replying.
>> encrypt the numbers and decrypt them before use, if they wont decrypt to a
RA> nuber
>> ditch the connection. If you need a class for that I can send it to you
RA> Yes please, that should help, but am n
Hi,
Thanks for replying.
> First of all, I bet you are using PHP sessions, and you have done nothing
> beyond getting them to work, right? One important note about PHP sessions
is
> that they provide the mechanism only; it is your job to provide whatever
> security you deem appropriate.
Yep, I
Hi Tom,
Thanks for replying.
> encrypt the numbers and decrypt them before use, if they wont decrypt to a
nuber
> ditch the connection. If you need a class for that I can send it to you
Yes please, that should help, but am new to classes so one or two lines on
how to implement them would be price
Hi,
Monday, October 20, 2003, 10:09:42 AM, you wrote:
RA> Hi,
RA> We have a site that runs a kind of membership section.
RA> When a person logs in we have his username + 3 variables in session, the 3
RA> variables are used for background processing and are never disclosed to the
RA> client, all 3
--- Ryan A <[EMAIL PROTECTED]> wrote:
> Somehow 1 person has found out about them and is creating havoc with
> that damn account by changing those variables to differient numbers
> ...any idea how he is doing that?
I have many ideas.
First of all, I bet you are using PHP sessions, and you have do
registered globals off ?
> Hi,
> We have a site that runs a kind of membership section.
> When a person logs in we have his username + 3 variables in session,
> the 3 variables are used for background processing and are never
> disclosed to the client, all 3 variables contain 1 or 2 digit numbers.
23 matches
Mail list logo