Advantage of Session ID in broswer query
Moderator: General Moderators
-
php_wiz_kid
- Forum Contributor
- Posts: 181
- Joined: Tue Jun 24, 2003 7:33 pm
Advantage of Session ID in broswer query
What's the advantage of putting the session id in the browser query? I thought it was because if the user didn't have cookies enabled it would still allow you to maintain state. My professor said this was WRONG!
-
JPlush76
- Forum Regular
- Posts: 819
- Joined: Thu Aug 01, 2002 5:42 pm
- Location: Los Angeles, CA
- Contact:
What did your professor say? Sounds like he was wrong this time 
there is no advantage, in fact its horrible in a security sense, imagine if someone cut and paste'd their url which included the session id to a friend (or stranger), now that person who clicks on the link just became that user.
PHP.ini contains all your session setup parameters, you can use cookies only (however on the first request the session id is always passed in the url).
there is no advantage, in fact its horrible in a security sense, imagine if someone cut and paste'd their url which included the session id to a friend (or stranger), now that person who clicks on the link just became that user.
PHP.ini contains all your session setup parameters, you can use cookies only (however on the first request the session id is always passed in the url).
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
the actual hijacking of the session is dependant on other validation and verification you do in your code as well though. It can be made more secure. Checking IP/host information, browser agent, cookies, the other sessions to see if that IP had a different session already.. there's lots of things you can add..
Now, if you just blindly do sessions.. then yes, hijacking is very easy.
Now, if you just blindly do sessions.. then yes, hijacking is very easy.