Tips: PHP security
View Single Post
09-06-2007, 04:56 PM
La Vida es Sueño
Join Date: Sep 2007
There is another potential security downfall to sessions called session fixation that every developer should be consciously aware of. This is the process by which I send you a link, such as:
You click the link and login to your account. Now, if the session ID is not changed when the user logs in using
then there's no need for me to guess your session ID. I already know it because I supplied it to you. PHP creates the session ID on-the-fly if it does not exist so the session ID I sent you in the link becomes your session ID. I can then go and click on the link myself and have almost limitless access to your account.
For this reason, the session's ID should be regenerated, and if practicable, the session ID within the GET should be disabled.
Please see the attached document I have outlining session fixation. It's an interesting read.
(404.6 KB, 757 views)
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
View Public Profile
Send a private message to Wildhoney
Visit Wildhoney's homepage!
Find More Posts by Wildhoney