I got a little problem with my session handling. If cookies are off I use SID to get the session ID into the URL. Now comes the problem. I can change the url session_id and the sid is basically an invalid string if I assume that the session_id should be a 32 char string.
My session handler saves those without a problem but I was wondering if there is any problem I might overlook and that might arise if a session_id is not like it should be.
Session Problem
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
someone can "steal" the session of another user, if they find the session id in some fashion.. What should be done is to verify the data, instead of taking it as authority. Verify that the 32 characters are all hex first. If the IP of another user suddenly changes to a new session id, toss them. You may want to find the hostname of the ip being used. If the base component doesn't change between them continue.
These sorts of things should be done with cookie ones as well, but URL based hijacking is easier.
These sorts of things should be done with cookie ones as well, but URL based hijacking is easier.
The problem I got at the moment is that the session just tracks an affiliate id.
So there is no big problem if the session is highjacked. Some affiliate might lose a signup percentage but no site security is involved as far as I can see.
Thats basically the question here. Just deal with the possibility or go to great lenght and create the overhead to check for a valid session_id.
So there is no big problem if the session is highjacked. Some affiliate might lose a signup percentage but no site security is involved as far as I can see.
Thats basically the question here. Just deal with the possibility or go to great lenght and create the overhead to check for a valid session_id.