NYCPHP Meetup

[Brian O'Connor]

He asked if I was setting the information in a cookie, or by using 
$_SESSION, so I told him.

On 8/10/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:On 
Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote:

> And I have a question about my current system:
> As of right now, I create 3 sessions for each user: userID, user, and pass

Do you mean you're setting three cookies? Don't.

Don't set any cookies manually. Let PHP's session_start() do it for you.

Then, to save data in the session, save it like this:

$_SESSION['username'] = 'foo';

That saves it on the server, which is the whole point of sessions.

--Dan

I understand that I'm not creating 3 different sessions, was just my 
terminology that I misused.

So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of 
my site, than it is vulnerable?

On 8/11/05, Aaron Fischer <agfische at email.smith.edu> wrote:
> 
> 
> Brian O'Connor wrote:
> > I don't use cookies for that. I use $_SESSION['userID'],
> > $_SESSION['user'], $_SESSION['pass'].
> >
> > I understand the concept of sessions, I don't understand the concept of
> > hijacking them, and making a system to prevent hijacking them.
> >
> > On 8/10/05, *Daniel Convissor* <danielc at analysisandsolutions.com
> > <mailto:danielc at analysisandsolutions.com>> wrote:
> >
> > On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote:
> >
> > > And I have a question about my current system:
> > > As of right now, I create 3 sessions for each user: userID, user,
> > and pass
> >
> > Do you mean you're setting three cookies? Don't.
> >
> > Don't set any cookies manually. Let PHP's session_start() do it for
> > you.
> >
> > Then, to save data in the session, save it like this:
> >
> > $_SESSION['username'] = 'foo';
> >
> > That saves it on the server, which is the whole point of sessions.
> >
> > --Dan
> >
> 
> I think you're still missing part of how php sessions work.
> 
> The default is for sessions to use a cookie. When a new session is
> started a cookie is sent to the user that contains the unique session
> name. All other session variables are stored on the server. When going
> to a new page, the session name in the cookie is compared to the session
> name on the server. If they match, OK, things continue.
> 
> If you don't want to use a cookie you can pass the session name along in
> the URL using the PHPSESSID constant. I believe that this is not
> recommended as it is very transparent.
> 
> Also, in your example you are not creating three different sessions.
> You are creating one session and storing three different variables in
> that session.
> 
> I believe that if you want to get more in depth about preventing
> sessions from being hijacked, that is when you get into writing your own
> session functions/classes (see the other ongoing sessions thread).
> 
> I'm just a newbie of sorts myself, so I'm hoping the gurus will correct
> me if I have inaccuracies here.
> 
> hth,
> 
> -Aaron
> 
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
> 



-- 
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050811/2243ea44/attachment.html>