WebApp Sec mailing list archives
Re: PHP session management
From: "Gavin Zuchlinski" <gzuchlinski () pgsit org>
Date: Mon, 27 Oct 2003 07:07:47 -0500
Sorry to post again, but my last idea was just too complex.
This isn't really a problem to bypass. If someones got local access, it's likely they will have access to some sort of webfolder, wether that be a virtualhost, or homedirs(www.foo.com/~username), you can easily access the information stored in the session with a script like this:
I think that hashing the session ID in the filename will solve our problems here. After hashing an attacker wouldnt be able to hijack the session, and with good file opening restrictions an attacker couldnt open the session files manually. -Gavin http://libox.net/
Current thread:
- PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Hokkaido (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Boris Penck (Oct 27)
- Re: PHP session management weigelt (Oct 28)
- Re: PHP session management Ivan Ristic (Oct 28)
- Re: PHP session management weigelt (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)