[nycphp-talk] Session basics
Aaron Fischer
agfische at email.smith.edu
Fri Aug 19 14:27:25 EDT 2005
If the session has expired such as in browser close or timeout, the
bookmarked page won't be a liability as the session id in the URL won't
find a matching session id on the server.
Authentication would fail and the result might be the user being sent
back to the login page.
I think... Someone please correct me if I'm wrong.
-Aaron
Billy Pilgrim wrote:
>
> Not to mention that if someone bookmarks the page, the session id will
> get stored in the user's bookmark url!
>
>
>>
>>>>So what you're saying is if I see a "?PHPSESSID=xxxxxxxxxxxx" in the URL of
>>>my site, than it is vulnerable?
>>Yeah.
More information about the talk
mailing list