[nycphp-talk] Experts help needed (Sessions)
David Mintz
dmintz at davidmintz.org
Mon Aug 8 09:50:01 EDT 2005
I thought that one of the main points of
http://shiflett.org/code/http-developers-handbook/session_example.phps --
though it's for demo purposes only -- is the technique of re-writing all
your URLs to include a token as a secondary identifier in addition to the
session id so that an attacker has to steal both in order to succeed.
Do the solutions you're playing also with work that way, or just by
storing extra stuff in the session to compare with the current request?
Also, isn't there a more than negligible chance that an attacker could be
using the same UA as the victim?
---
David Mintz
http://davidmintz.org/
More information about the talk
mailing list