php session.use_cookies and session fixation attacks -
php session.use_cookies and session fixation attacks -
i had @ this post, not understand if using code i'm vulnerable session fixation attacks:
mypage.php
<?php ini_set("session.use_cookies",0); ini_set("session.use_only_cookies",0); ini_set("session.use_trans_sid",1); session_start(); $_session['myname'] = "mynameisok"; if($_session['myname'] === "mynameisok" ){ print_r($_session); print_r($_cookie); } ?> i'm using code is, , i'm not using url parameters or other stuff, so code vulnerable php session fixation attacks? if yes, how? i'm not php expert.. can post illustration of attack?
the session fixation attack can append when utilize url pass id, illustration :
http://unsafe.example.com/?sid=i_will_know_the_sid if other person visit link, can have access other people account.
to avoid must not take session identifiers / post variables.
don't utilize :
ini_set("session.use_trans_sid",1); but :
ini_set("session.use_trans_sid",0); it disable transparent sid support.
url based session management has additional security risks compared cookie based session management. users may send url contains active session id friends email or users may save url contains session id bookmarks , access site same session id always, example.
you can read more session fixation here :
http://en.wikipedia.org/wiki/session_fixation
php session-cookies session-fixation
Comments
Post a Comment