NYCPHP Meetup

[Chris Shiflett]

--- Chris Snyder <chris at psydeshow.org> wrote:
> While it's true that URI query strings may be superior
> to cookies for passing session information, what
> happens when a user copy-and-pastes the URL into an
> email client and sends it to their friends?

I would not make such a bold claim about URL variables. To
be fair, however, the copy and paste vulnerability you
describe exists in cookies also, even though perhaps not as
conveniently.

Client data, whether form variables, URL variables, or
cookies, can be easily modified. Imagine someone who
telnets to port 80 of your Web site and types in their own
HTTP request, as an example. Or, as a simpler example,
imagine someone who edits their cookies.txt file to send
you someone else's cookie.

> Even if you tied the session to an IP address, a user
> coming in through an AOL proxy would get dropped on
> their next request. Or am I being naive about this?

I don't think you're being naive at all. While the TCP/IP
layer is harder to spoof than the HTTP layer, the
disadvantages far outweigh any subtle security enhancement
(that can be achieved in more reliable ways anyway). There
are two cases that can really break your application when
you rely on any data from the TCP/IP layer:

1. Many clients appear to be the same client - an HTTP
proxy  serves many clients.
2. A single client appears to be many different clients - a
round-robin HTTP proxy serves many clients (such as AOL).

Chris