WebApp Sec mailing list archives
PHP session management
From: Gavin Zuchlinski <gzuchlinski () pgsit org>
Date: Sat, 25 Oct 2003 18:51:13 -0400
Hi, I noticed on a server how PHP creates files in /tmp in the form sess_XXXXXXXXX to store session information (of course only readable by the apache user), but "XXXXXXXXX" is the actual session ID. If a person has a local access to a system using PHP's session management, aren't they able to hijack any session? Am I a complete moron and am missing something? And that aside, are there any other known problems with using PHP sessions (besides all the standard PHP security issues like variable access)? -Gavin http://libox.net/
Current thread:
- PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Hokkaido (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Boris Penck (Oct 27)
- Re: PHP session management weigelt (Oct 28)
- Re: PHP session management Ivan Ristic (Oct 28)
- Re: PHP session management weigelt (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)