Advantage of Session ID in broswer query

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Advantage of Session ID in broswer query

Post by php_wiz_kid »

What's the advantage of putting the session id in the browser query? I thought it was because if the user didn't have cookies enabled it would still allow you to maintain state. My professor said this was WRONG!
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

What did your professor say? Sounds like he was wrong this time ;)

there is no advantage, in fact its horrible in a security sense, imagine if someone cut and paste'd their url which included the session id to a friend (or stranger), now that person who clicks on the link just became that user.

PHP.ini contains all your session setup parameters, you can use cookies only (however on the first request the session id is always passed in the url).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the actual hijacking of the session is dependant on other validation and verification you do in your code as well though. It can be made more secure. Checking IP/host information, browser agent, cookies, the other sessions to see if that IP had a different session already.. there's lots of things you can add..

Now, if you just blindly do sessions.. then yes, hijacking is very easy.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

as you know all of those can be spoofed and I'd bet MOST available php apps do not check anything but a session id
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

sadly..
Post Reply