P Mailingliste"
> <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Thursday, August 15, 2002 12:30 AM
> Subject: Re: [PHP] SESSION Security
>
>
> >
> > Op donderdag 15 augustus 2002 01:03, schreef u:
> > > So, if somebody gets an ftp account somehow, he
Op donderdag 15 augustus 2002 01:03, schreef u:
> So, if somebody gets an ftp account somehow, he will be able to get session
> vars via a system() command?
You holds him in its own dir by the chroot setting of you ftpserver.
> via a system();
you mean if they upload a php file?
prevent that wit
From: "Ilia A." <[EMAIL PROTECTED]>
> To: "Sascha Braun" <[EMAIL PROTECTED]>; "PHP Mailingliste"
> <[EMAIL PROTECTED]>
> Sent: Thursday, August 15, 2002 1:36 AM
> Subject: Re: [PHP] SESSION Security
>
> > On August 14, 2002 07:03 pm,
From: "Ilia A." <[EMAIL PROTECTED]>
> > To: "Sascha Braun" <[EMAIL PROTECTED]>; "PHP Mailingliste"
> > <[EMAIL PROTECTED]>
> > Sent: Thursday, August 15, 2002 1:27 AM
> > Subject: Re: [PHP] SESSION Security
> >
> > > I
quot;
> <[EMAIL PROTECTED]>
> Sent: Thursday, August 15, 2002 1:27 AM
> Subject: Re: [PHP] SESSION Security
>
> > If a person 'somehow' gains read access to the directory where the
>
> sessions
>
> > are stored on your server, then yes it is p
TED]>
Sent: Thursday, August 15, 2002 1:27 AM
Subject: Re: [PHP] SESSION Security
> If a person 'somehow' gains read access to the directory where the
sessions
> are stored on your server, then yes it is possible for them to get the
> session id.
>
> Ilia
>
> On Aug
If a person 'somehow' gains read access to the directory where the sessions
are stored on your server, then yes it is possible for them to get the
session id.
Ilia
On August 14, 2002 06:41 pm, Sascha Braun wrote:
> Is it possible that someone from outside can read the session stored
> on my we
Is it possible that someone from outside can read the session stored
on my webserver for getting unencrypted password and usernames?
Schura
Why can a user force php to create a session he's giving the name in the
URL?
Do you want me to list an half a dozen ways to get rich now with this
holes?
Does anyone understand the malice of this?
Anyone can offer you a click on a session he's going to visit later and
hijack from you?
Anyone can
On Wed, Aug 15, 2001 at 10:52:33PM -0300, Christian Dechery wrote:
> >$HTTP_SERVER_VARS{"SSL_SESSION_ID"}
> >
> >Another thing I found with phpinfo() is
> >$HTTP_SERVER_VARS{"UNIQUE_ID"}. I don't know (yet) was it is, but it
> >sounds usable, doesn't it?
>
> sure it does... but first we need to k
You need to check against a value that was registered as a session
variable. There is no use in checking if some SSL variable is set. Here's
a simplified version of my check_session function that I run at the top of
every page that requires a session to be established.
I also write to the session
On Tue, Aug 14, 2001 at 02:32:03PM -0700, David Price wrote:
> Sean,
>
> That is a very interesting suggestion. How would you call that using PHP?
>
> Thanks,
>
> David Price
$HTTP_SERVER_VARS{"SSL_SESSION_ID"}
Another thing I found with phpinfo() is
$HTTP_SERVER_VARS{"UNIQUE_ID"}. I don't
]
Subject: Re: [PHP] session security issue
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
>
> I have page
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
>
> I have pages that uses session for security that looks s
If you test $HTTP_SESSION_VARS["uid"] instead, you'll know that it came
from a session and not from a GET variable.
- Tim
On 14 Aug 2001 08:42:22 -0300, Christian Dechery wrote:
> I have pages that uses session for security that looks something like this:
>
>session_start();
>
>
On Tue, Aug 14, 2001 at 08:42:22AM -0300, Christian Dechery wrote:
> I have pages that uses session for security that looks something like this:
>
>session_start();
>
> if( !isset($uid) )
> {
> include("include/auth.inc.php");
> auth_user();
>
I have pages that uses session for security that looks something like this:
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
wouldn't this be a security problem?
17 matches
Mail list logo
