Page 1 of 1
sessions security...
Posted: Wed Nov 27, 2002 10:13 am
by Kyori
In my script I use
Code: Select all
$username = $_SESSIONSї'username']
I wonder if that is secure. I'm testing on IIS and I understand that sessions use cookies but I can't find the cookie for this one. anyway, would the above method be easy to hack or not? I'm planing to upload on tripod and then to a good server when the whole site is finished
Also, how do I pass POSTed variables w/o using inputs? Like passing them from anchors <a href>
thx
Posted: Wed Nov 27, 2002 10:17 am
by BigE
That is fine, if you want all of the variables from $_SESSION without calling $_SESSION just do extract($_SESSION) php.net/extract Also, you can't really get POST variables from an anchor tag because that would use the GET method. Therefore you would have to pass them through the query string and use $_GET to get the variables. Hope that helps.
Posted: Wed Nov 27, 2002 10:35 am
by Kyori
I've read that it's pretty easy to steal sessions... dunno about that.
any way in javascript to POST? Anything aside from using forms?
Posted: Wed Nov 27, 2002 10:42 am
by BigE
Its only easy to steal a session if your good at coming up with random numbers or stealing a cookie off of someone's computer. If your going to store sensitive information in the session, encrypt it. No, there is no way to get POST data besides by a form that I'm aware of.
Posted: Wed Nov 27, 2002 11:04 am
by Kyori
is there any way to encrypt in PHP. like a ready function? I can't find any.
Code: Select all
<form action="action.php" method=POST>
<input type=hidden name="user" valuer="user100">
</form>
<a href="action.php">action</a>
will clicking on action above pass POST data?
can anyone also help me /'w innerHTML
Code: Select all
<span style="position:absolute" id="loadi"></span>
<script>
loadi.innerHTML="LOADING";
</script>
Posted: Wed Nov 27, 2002 11:10 am
by BigE
There are several encryption functions in PHP. I suggest you start checking out the string functions at php.net/strings and also md5() php.net/md5 There are of course other styles of encryption but MD5 seems to be the most popular one way hash. Hope that helps.
Posted: Wed Nov 27, 2002 11:31 am
by Kyori
this is what i did
Code: Select all
$_SESSIONї'username'] = md5($username);
guess that the only (virtually) way of hacking is by stealing cookies
Posted: Wed Nov 27, 2002 11:42 am
by BigE
Its not the only way... if they have the session ID they can pass that through the URL. Its not as easy as some people make it out to be if you code your site properly. Also, with md5() all you can do to check your data is compare an MD5 string to and MD5 string since there is no decryption for it.