|
-
Mar 9th, 2006, 09:35 PM
#1
Thread Starter
Addicted Member
[RESOLVED] about SID
When browsing the internet I find a lot of websites using php that includes the session ID (SID) in the URL. Which is better, actually? Is it really good to include the SID in the URL, or just use the cookies?
-
Mar 10th, 2006, 03:22 AM
#2
Member
Re: about SID
Not sure whats better, but in the url is a sure thing.
Some users turn off cookies.
_
-
Mar 10th, 2006, 06:39 AM
#3
<?="Moderator"?>
Re: about SID
This can be good and bad. Good because some users turn cookies off so it allows session information to be used, but it also means that someone can copy the users url, with session id, and view what they were doing on the site. I had some links about the pro's and conn's will try and dig them out for you.
-
Mar 10th, 2006, 06:46 AM
#4
<?="Moderator"?>
Re: about SID
Heres part of what i was talking about, the linl to the pdf give lots of good info as well.
 Originally Posted by http://uk2.php.net/manual/en/ref.session.php
Sessions and security
External links: Session fixation
The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.
Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.
There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.
-
Mar 10th, 2006, 11:38 AM
#5
Thread Starter
Addicted Member
Re: about SID
thank you very much john.. really appreciate it
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|