RE: Session / Security
Thanks for the links I am on shared hosted server and found when reading If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. How can this be avoided in this a situation with shared hosting or not? I have Webroot/ public_html/ /app1 /app2 Dave -Original Message- From: mark_story [mailto:mark.st...@gmail.com] Sent: October-04-09 1:57 PM To: CakePHP Subject: Re: Session / Security You also should read up on Session Fixation, Session hijacking, and http://en.wikipedia.org/wiki/Session_fixation http://en.wikipedia.org/wiki/Session_hijacking Which kind of reference each other but you get the idea. -Mark On Oct 3, 5:39 pm, Bert Van den Brande cyr...@gmail.com wrote: You might want to read this :http://be2.php.net/manual/en/session.security.php On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Right on. In my app nothing is passed in the url all my non-private areas are like /manage/profile or /manage/account as everything related to the user is obtained by auth ID of the logged in user and getting the info based on that. So i was just wondering if someone did get the session, how would they do it and ways to prevent it. Thanks Dave -- *From:* Bert Van den Brande [mailto:cyr...@gmail.com] *Sent:* October-03-09 6:40 PM *To:* cake-php@googlegroups.com *Subject:* Re: Session / Security I'm no expert on the subject, but I think session can be hijacked by : * 'stealing' a sessions id from the url. This is only possible if the user browser doesn't use cookies so the session id is visible in the url * stealing a session cookie In either cases, logging the user's ip would increase security imho. I'm interested in other opinions :) On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Not quite sure how this works but how does one steal a session? I have my session info stored in the database... if i added ip to the session so it also checks that the session ip matches the user ip would that increase the session sucurity? What a safe guards / good practsise to secure session data? Thanks Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Session / Security
On 13 oct, 15:48, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Thanks for the links I am on shared hosted server and found when reading If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. How can this be avoided in this a situation with shared hosting or not? in what way is using shared hosting relevant to that question, you plan on/are sharing the same domain with servers/people you don't know? AD --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Session / Security
Hey AD, Maybe (probably) I am lost on what I read. I have my domain on a non dedicated hosting platform. But the only thing in my domain is my site. I thought what I read about If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. Are thy referring to the server domain or my domain? My understanding is shared hosting all points to specific ips for that host and then they serve up the domain the user requested. So when someone requests my site they go to 123.123.12.12 for example and they send back my site to the user. The cookie set to '/' is that for mysite.com or 123.123.12.12. Maybe just lost n the trasnlation. Thanks, Dave -Original Message- From: AD7six [mailto:andydawso...@gmail.com] Sent: October-13-09 11:24 AM To: CakePHP Subject: Re: Session / Security On 13 oct, 15:48, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Thanks for the links I am on shared hosted server and found when reading If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. How can this be avoided in this a situation with shared hosting or not? in what way is using shared hosting relevant to that question, you plan on/are sharing the same domain with servers/people you don't know? AD --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Session / Security
It only applies to the domain (name.com) not the whole shared vhosts grid server. On Oct 13, 8:42 am, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Hey AD, Maybe (probably) I am lost on what I read. I have my domain on a non dedicated hosting platform. But the only thing in my domain is my site. I thought what I read about If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. Are thy referring to the server domain or my domain? My understanding is shared hosting all points to specific ips for that host and then they serve up the domain the user requested. So when someone requests my site they go to 123.123.12.12 for example and they send back my site to the user. The cookie set to '/' is that for mysite.com or 123.123.12.12. Maybe just lost n the trasnlation. Thanks, Dave -Original Message- From: AD7six [mailto:andydawso...@gmail.com] Sent: October-13-09 11:24 AM To: CakePHP Subject: Re: Session / Security On 13 oct, 15:48, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Thanks for the links I am on shared hosted server and found when reading If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. How can this be avoided in this a situation with shared hosting or not? in what way is using shared hosting relevant to that question, you plan on/are sharing the same domain with servers/people you don't know? AD --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Session / Security
Ok that’s all I wanted to know. Thanks. -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: October-13-09 1:40 PM To: CakePHP Subject: Re: Session / Security It only applies to the domain (name.com) not the whole shared vhosts grid server. On Oct 13, 8:42 am, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Hey AD, Maybe (probably) I am lost on what I read. I have my domain on a non dedicated hosting platform. But the only thing in my domain is my site. I thought what I read about If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. Are thy referring to the server domain or my domain? My understanding is shared hosting all points to specific ips for that host and then they serve up the domain the user requested. So when someone requests my site they go to 123.123.12.12 for example and they send back my site to the user. The cookie set to '/' is that for mysite.com or 123.123.12.12. Maybe just lost n the trasnlation. Thanks, Dave -Original Message- From: AD7six [mailto:andydawso...@gmail.com] Sent: October-13-09 11:24 AM To: CakePHP Subject: Re: Session / Security On 13 oct, 15:48, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Thanks for the links I am on shared hosted server and found when reading If the cookie's path is set to '/' (the whole domain), then any website on the same domain (might be lots of websites) _will_ get the cookie through HTTP headers and could possibly hijack your session. How can this be avoided in this a situation with shared hosting or not? in what way is using shared hosting relevant to that question, you plan on/are sharing the same domain with servers/people you don't know? AD --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Session / Security
You also should read up on Session Fixation, Session hijacking, and http://en.wikipedia.org/wiki/Session_fixation http://en.wikipedia.org/wiki/Session_hijacking Which kind of reference each other but you get the idea. -Mark On Oct 3, 5:39 pm, Bert Van den Brande cyr...@gmail.com wrote: You might want to read this :http://be2.php.net/manual/en/session.security.php On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Right on. In my app nothing is passed in the url all my non-private areas are like /manage/profile or /manage/account as everything related to the user is obtained by auth ID of the logged in user and getting the info based on that. So i was just wondering if someone did get the session, how would they do it and ways to prevent it. Thanks Dave -- *From:* Bert Van den Brande [mailto:cyr...@gmail.com] *Sent:* October-03-09 6:40 PM *To:* cake-php@googlegroups.com *Subject:* Re: Session / Security I'm no expert on the subject, but I think session can be hijacked by : * 'stealing' a sessions id from the url. This is only possible if the user browser doesn't use cookies so the session id is visible in the url * stealing a session cookie In either cases, logging the user's ip would increase security imho. I'm interested in other opinions :) On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Not quite sure how this works but how does one steal a session? I have my session info stored in the database... if i added ip to the session so it also checks that the session ip matches the user ip would that increase the session sucurity? What a safe guards / good practsise to secure session data? Thanks Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Session / Security
I'm no expert on the subject, but I think session can be hijacked by : * 'stealing' a sessions id from the url. This is only possible if the user browser doesn't use cookies so the session id is visible in the url * stealing a session cookie In either cases, logging the user's ip would increase security imho. I'm interested in other opinions :) On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Not quite sure how this works but how does one steal a session? I have my session info stored in the database... if i added ip to the session so it also checks that the session ip matches the user ip would that increase the session sucurity? What a safe guards / good practsise to secure session data? Thanks Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
RE: Session / Security
Right on. In my app nothing is passed in the url all my non-private areas are like /manage/profile or /manage/account as everything related to the user is obtained by auth ID of the logged in user and getting the info based on that. So i was just wondering if someone did get the session, how would they do it and ways to prevent it. Thanks Dave _ From: Bert Van den Brande [mailto:cyr...@gmail.com] Sent: October-03-09 6:40 PM To: cake-php@googlegroups.com Subject: Re: Session / Security I'm no expert on the subject, but I think session can be hijacked by : * 'stealing' a sessions id from the url. This is only possible if the user browser doesn't use cookies so the session id is visible in the url * stealing a session cookie In either cases, logging the user's ip would increase security imho. I'm interested in other opinions :) On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Not quite sure how this works but how does one steal a session? I have my session info stored in the database... if i added ip to the session so it also checks that the session ip matches the user ip would that increase the session sucurity? What a safe guards / good practsise to secure session data? Thanks Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Session / Security
You might want to read this : http://be2.php.net/manual/en/session.security.php On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Right on. In my app nothing is passed in the url all my non-private areas are like /manage/profile or /manage/account as everything related to the user is obtained by auth ID of the logged in user and getting the info based on that. So i was just wondering if someone did get the session, how would they do it and ways to prevent it. Thanks Dave -- *From:* Bert Van den Brande [mailto:cyr...@gmail.com] *Sent:* October-03-09 6:40 PM *To:* cake-php@googlegroups.com *Subject:* Re: Session / Security I'm no expert on the subject, but I think session can be hijacked by : * 'stealing' a sessions id from the url. This is only possible if the user browser doesn't use cookies so the session id is visible in the url * stealing a session cookie In either cases, logging the user's ip would increase security imho. I'm interested in other opinions :) On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com d...@widepixels.com wrote: Not quite sure how this works but how does one steal a session? I have my session info stored in the database... if i added ip to the session so it also checks that the session ip matches the user ip would that increase the session sucurity? What a safe guards / good practsise to secure session data? Thanks Dave --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
