You also should read up on Session Fixation, Session hijacking, and http://en.wikipedia.org/wiki/Session_fixation http://en.wikipedia.org/wiki/Session_hijacking
Which kind of reference each other but you get the idea. -Mark On Oct 3, 5:39 pm, Bert Van den Brande <cyr...@gmail.com> wrote: > You might want to read this :http://be2.php.net/manual/en/session.security.php > > On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com < > > > > d...@widepixels.com> wrote: > > Right on. > > > In my app nothing is passed in the url all my non-private areas are like > > /manage/profile or /manage/account as everything related to the user is > > obtained by auth ID of the logged in user and getting the info based on > > that. > > > So i was just wondering if someone did get the session, how would they do > > it and ways to prevent it. > > > Thanks > > > Dave > > > ------------------------------ > > *From:* Bert Van den Brande [mailto:cyr...@gmail.com] > > *Sent:* October-03-09 6:40 PM > > *To:* cake-php@googlegroups.com > > *Subject:* Re: Session / Security > > > I'm no expert on the subject, but I think session can be hijacked by : > > * 'stealing' a sessions id from the url. This is only possible if the user > > browser doesn't use cookies so the session id is visible in the url > > * stealing a session cookie > > > In either cases, logging the user's ip would increase security imho. > > > I'm interested in other opinions :) > > > On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com < > > d...@widepixels.com> wrote: > > >> Not quite sure how this works but how does one steal a session? > > >> I have my session info stored in the database... if i added ip to the > >> session so it also checks that the session ip matches the user ip would > >> that > >> increase the session sucurity? What a safe guards / good practsise to > >> secure > >> session data? > > >> Thanks > > >> Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---