[nycphp-talk] Session Thoughts
felix zaslavskiy
felix at students.poly.edu
Fri Oct 31 12:24:06 EST 2003
On Fri, 31 Oct 2003 08:57:09 -0800 (PST)
Chris Shiflett <shiflett at php.net> wrote:
> okie is compromised for whatever
> reason, this ensures that the attacker is able to hijack the user's
> session at any time in the future?
you can prevent that , construct the cookie like this:
hash( hash(password) | sessid | expire-date-time ) | sessid | expire-date-time
But yes the session could be hijacked and used before it expires.
If you use PHP session they will expire eventualy so its all taken care for you. PHP session dont carry any login information in the cookie, but if you construct your own session cookie you can embed the login information like the password in it yourself.
More information about the talk
mailing list