--- Chris Wanstrath <[EMAIL PROTECTED]> wrote: > Lots of great information in this thread as far as solutions go, but > what I'm wondering is the concept behind how someone actually can > hijack a session if register_globals is off.
I proposed a talk on this at ApacheCon (in addition to my PHP Attacks and Defense talk), but it wasn't accepted. I can never tell if there is a lot of interest in the idea of securing sessions or not. I think most people think it is too narrow a topic. At any rate, there is too much information to write in an email, but there are many methods of impersonation, and almost all of them are independent of whether register_globals is enabled. For example, consider that a legitimate user clicks a link and goes to this URL: http://www.example.org/foo.php?PHPSESSID=12345 Perhaps the user has cookies disabled, so PHP appends the session identifier to the URL, or perhaps the developer does it automatically. Either way, what if a bad guy visits this URL: http://www.example.org/foo.php?PHPSESSID=12345 Will the application recognize the user as the same as the legitimate user? PHP certainly will, but it is up to the application to try and lessen the likelihood of such an attack. Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
