Page 1 of 1
Advantage of Session ID in broswer query
Posted: Wed Mar 30, 2005 4:41 pm
by php_wiz_kid
What's the advantage of putting the session id in the browser query? I thought it was because if the user didn't have cookies enabled it would still allow you to maintain state. My professor said this was WRONG!
Posted: Wed Mar 30, 2005 5:21 pm
by JPlush76
What did your professor say? Sounds like he was wrong this time
there is no advantage, in fact its horrible in a security sense, imagine if someone cut and paste'd their url which included the session id to a friend (or stranger), now that person who clicks on the link just became that user.
PHP.ini contains all your session setup parameters, you can use cookies only (however on the first request the session id is always passed in the url).
Posted: Wed Mar 30, 2005 5:33 pm
by feyd
the actual hijacking of the session is dependant on other validation and verification you do in your code as well though. It can be made more secure. Checking IP/host information, browser agent, cookies, the other sessions to see if that IP had a different session already.. there's lots of things you can add..
Now, if you just blindly do sessions.. then yes, hijacking is very easy.
Posted: Wed Mar 30, 2005 5:35 pm
by JPlush76
as you know all of those can be spoofed and I'd bet MOST available php apps do not check anything but a session id
Posted: Wed Mar 30, 2005 5:46 pm
by feyd
sadly..