Results 1 to 5 of 5

Thread: [RESOLVED] about SID

  1. #1

    Thread Starter
    Addicted Member
    Join Date
    May 2001
    Posts
    237

    Resolved [RESOLVED] about SID

    When browsing the internet I find a lot of websites using php that includes the session ID (SID) in the URL. Which is better, actually? Is it really good to include the SID in the URL, or just use the cookies?

  2. #2
    Member AWC_Joe's Avatar
    Join Date
    Jan 2006
    Location
    Located
    Posts
    49

    Re: about SID

    Not sure whats better, but in the url is a sure thing.
    Some users turn off cookies.

    _
    |
    Some programs and scripts ive made: http://wiki.anotherwebcom.com
    What was once an opinion, became a fact, to be later proven wrong...

  3. #3
    <?="Moderator"?> john tindell's Avatar
    Join Date
    Jan 2002
    Location
    Brighton, UK
    Posts
    1,099

    Re: about SID

    This can be good and bad. Good because some users turn cookies off so it allows session information to be used, but it also means that someone can copy the users url, with session id, and view what they were doing on the site. I had some links about the pro's and conn's will try and dig them out for you.

  4. #4
    <?="Moderator"?> john tindell's Avatar
    Join Date
    Jan 2002
    Location
    Brighton, UK
    Posts
    1,099

    Re: about SID

    Heres part of what i was talking about, the linl to the pdf give lots of good info as well.

    Quote Originally Posted by http://uk2.php.net/manual/en/ref.session.php
    Sessions and security

    External links: Session fixation

    The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

    Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

    There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

  5. #5

    Thread Starter
    Addicted Member
    Join Date
    May 2001
    Posts
    237

    Re: about SID

    thank you very much john.. really appreciate it

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width