i've spent probably about the last 3 hours reading that topic on security and I am kind of confused. when using sessions and you have that option in the php config enabled to automatically add the session id to the url, is it possible to then use this same session on another computer by simply typing it in in the address bar, or is it more complex than that to hijack it?
without any additional security measures, the answer can be yes.
is the session id in the url already encrypted and if it isnt can it be? and what further measures can be used?
Now you're getting into key management issues ;)
Originally posted by summercom
is the session id in the url already encrypted and if it isnt can it be? and what further measures can be used?
the session id relates to a record on the server. The is no encrypt/decrypt happening between the client and server. For instance on a unix server there would be file in the /tmp (depends on config of php) directory named what ever the session id is and it contains all the session vars that have been assigned.
PHP sessions handler can do garbage collection on expired sessions. I store my sessions in a DB and cleanup on expired sessions via my own rules.
The approach I take toward security depends on the task or tasks at hand. Is this a general question or do you have a problem that you trying to solve.
This is one example and is definitely not the be all in security, it is just one small example.
If you use cookies first the session id will not be in the url string.
Second set a cookie on session start of some value that is unique to that user and validate that as well on each page.
Just an idea to get you thinking.
yup!
Originally posted by GNUbie
Now you're getting into key management issues ;)
Unless you're encrypting your connection (via ssl) any packets sent to a web server can be sniffed. However, this is a topic that's been covered extensively. Do a search on the word "security" and you'll see what I mean.