On Jun 14, 2003, "Ryan A" claimed that: |Hi, |I have been reading up on the old discussions on this list as i was very |busy for the past few days....and i saw a very intresting topic regarding |sessions and security. | |I really didnt understand some of the things you guys wrote on "hi-jacking a |session"...do you have any examples of this? |How can someone else have the session info of another user? |after looking at the session id i see that its a long garbled string and |even if someone is a good guesser...isnt that a very very very long shot? or |am i missing something? | |I looked up on google and i didnt see anything major... | |I dont mean to drag this topic up all over again so if any of you have any |URLs that you think would shed some light on this matter....please do post |it to me. | |This concerns me a lot as I have a very "sessions heavy" site...which is |also a kind of paysite/freesite. | |Cheers, |-Ryan
>From http://www.php.net/manual/en/print/ref.session.php "There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users." Another way is to monitor session.save_path of another domain on a server that you have access to. Using some screen scraping techniques it might not be hard to extract passwords or (using something similar to Amazon's 'one-click' purchasing) to buy a bunch of crap using someone else's money. -- Registered Linux user #304026. "lynx -source http://jharris.rallycentral.us/jharris.asc | gpg --import" Key fingerprint = 52FC 20BD 025A 8C13 5FC6 68C6 9CF9 46C2 B089 0FED Responses to this message should conform to RFC 1855. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
