WebApp Sec mailing list archives

Re: PHP session management

From: "Gavin Zuchlinski" <gzuchlinski () pgsit org>
Date: Mon, 27 Oct 2003 07:07:47 -0500

Sorry to post again, but my last idea was just too complex.

This isn't really a problem to bypass. If someones got local access,
it's likely they will have access to some sort of webfolder, wether that
be a virtualhost, or homedirs(www.foo.com/~username), you can easily
access the information stored in the session with a script like this:


I think that hashing the session ID in the filename will solve our problems
here. After hashing an attacker wouldnt be able to hijack the session, and
with good file opening restrictions an attacker couldnt open the session
files manually.

-Gavin
http://libox.net/

Current thread:

PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
  - Re: PHP session management Gavin Zuchlinski (Oct 26)
    - Re: PHP session management Hokkaido (Oct 27)
  - Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Boris Penck (Oct 27)
  - Re: PHP session management weigelt (Oct 28)
    - Re: PHP session management Ivan Ristic (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)