> > both the cookie and URL based session passed over without SSL is > insecure. > > i'd love to know who told you otherwise. > > I can't remember the exact sites now, but, the issue was about how much > easier it is to spoof Sessions when IDs are passed via the URL as opposed > to > being stored in a cookie.
It's easier because you can just type it in rather than "crafting" a cookie, but it's all pretty much the same. They are both equal, security wise. Well, actually, the other problem with session IDs in the URL is that user's could mistakenly post a URL somewhere with their session ID. If someone clicked on this link while the session was active, it could be hijacked. > But going back to the first point, if I'm passing Session IDs via the URL, > shouldn't I be doing something more to make the site a little more secure? > I > don't store sensitive data in sessions vars, but, if it allows a non- > paying > member to hijack a paying member's session, then this is going to be a > problem. But I'm not sure what more I can do to make the session a little > more secure and less likely that someone will hijack it. SSL is a little > overkill for this, as this isn't a bank or financial institution, it's > just > a little community website. You kind of contradict your self. It'll be a problem, but it's just a little "community website". So is it a problem or not? Honestly, if I somehow hijacked Joe Blow's session, what could I do? If it is a problem, then use SSL, plain and simple. That'll protect you from session IDs being sniffed from a network. ---John W. Holmes... Amazon Wishlist: http://www.amazon.com/o/registry/3BEXC84AB3A5E PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
