On Mon, 2009-02-16 at 20:23 -0500, Sean DeNigris wrote:
> lol, neither. It was from a site I had coded. I read an article
> about session fixation and it seemed vulnerable based on what I read,
> but when I tested it, it didn't seem to be and I wasn't sure why.
> What made you think that?
>
lol, neither. It was from a site I had coded. I read an article
about session fixation and it seemed vulnerable based on what I read,
but when I tested it, it didn't seem to be and I wasn't sure why.
What made you think that?
- Sean
On Feb 16, 2009, at 8:16 PM, Ashley Sheridan wrote:
On
On Mon, 2009-02-16 at 13:49 -0500, Sean DeNigris wrote:
> Hi all! The following code seems like it should be open to session
> fixation attacks, but is not. Why?!
>
> This is the beginning of the private page...
> session_start();
> if (!isset($_SESSION['user']))
> {
> header("Location:
Hi all! The following code seems like it should be open to session
fixation attacks, but is not. Why?!
This is the beginning of the private page...
header("Location: http://[address of login page]?requestedpage=[token
for this page]");
exit();
}
If an attacker caused a known
4 matches
Mail list logo
