Hi adam!
On Wed, 27 Jun 2001, adam (dahamsta) wrote:
> [Please copy replies off-list.]
>
> I want to use PHP4 sessions for authentication, but I'm having difficulty
> understanding how to get around users spoofing, stealing or linking sessions.
> Here's an example: Alice sends Bob a link from a site she's logged into.
> Alice has cookies turned off in her browser, so the session id will be in the
> URL she sends Bob. Eve intercepts the message, follows the link and now she
> can take over Alice's session, and any data that is associated with that
> session. For that matter, Bob can do the same thing.
>
> I can think of lots of ways around this, but most of them are kludges that
> don't really cut it. I can store a second authentication value in a cookie,
> but that would require cookies, which isn't acceptable. I could propogate a
> second authentication variable in the URL, but that's a lot of hassle and
> defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if
> the user came from my own site, but that can be spoofed. I can log and check
> the users IP address, but that can't be relied upon.
>
> Is there any reliable way around this? Am I missing something obvious?
>
there was a long and interesting thread on bugtraq @ securityfocus.com
recently regarding this (it started w/ uploading images, I don't recall what
was the subject, but you can figure some keywords to search for ;)
Among proposed solutions was to send a ticket and validate it for each
operation.
Worth a search&read if you're a web developer.
-- teodor
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
