On 12/21/06, David Mintz <[EMAIL PROTECTED]> wrote:
http://www.php.net/manual/en/ref.session.php
Last time I checked, there were two ways to propagate a session id across
page requests: (1) cookies; (2) as a URL variable (URL rewriting). The
latter is less secure.
...less secure because when the session ID is part of the URL, it's
easy for an unsuspecting user to send it to somebody in an email or
bookmark it on a public machine, and have their session hijacked by
someone else. It can also show up in the referrer logs of other hosts
if, for example, external images or scripts are included in your
pages.
There is also the risk that PHP can be tricked into using a non-random
session ID, see Chris Shiflett's writeup on Session Fixation if you
are considering using URL rewriting for session-keeping:
http://shiflett.org/articles/security-corner-feb2004
--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
