WebApp Sec mailing list archives
PHP Session ID's
From: focus () karsites net
Date: Tue, 19 Jul 2005 08:29:20 +0100 (BST)
You can pass the PHP session ID as a <input type="hidden" name="xyz"> html form variable if using a form. You can even create a blank form just for this purpose. EG. function simple_SEARCH_button($text) { global $session_id; ?> <FORM ACTION="./search.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT" VALUE="<?php echo $text; ?>"> </P> <!-- pass the following hidden variables with the form --> <INPUT TYPE="HIDDEN" NAME="session_id" VALUE="<?php echo $session_id; ?>"> </FORM> <?php } // end of simple_SEARCH_button($text)
!! In short, you are better off putting the session id in a cookie than !! putting it in the URL. You are right that referrer headers are one !! way that a URL session id can leak. It may also be logged in proxies !! or firewalls.
my 2c Keith Roberts http://www.karsites.net
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)