NYCPHP Meetup

NYPHP.org

[nycphp-talk] Re: cakephp

csnyder chsnyder at gmail.com
Thu Dec 21 15:06:04 EST 2006


On 12/21/06, David Mintz <dmintz at davidmintz.org> wrote:
> http://www.php.net/manual/en/ref.session.php
>
> Last time I checked, there were two ways to propagate a session id across
> page requests: (1) cookies; (2) as a URL variable (URL rewriting). The
> latter is less secure.

...less secure because when the session ID is part of the URL, it's
easy for an unsuspecting user to send it to somebody in an email or
bookmark it on a public machine, and have their session hijacked by
someone else. It can also show up in the referrer logs of other hosts
if, for example, external images or scripts are included in your
pages.

There is also the risk that PHP can be tricked into using a non-random
session ID, see Chris Shiflett's writeup on Session Fixation if you
are considering using URL rewriting for session-keeping:
http://shiflett.org/articles/security-corner-feb2004

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list