[nycphp-talk] Session basics
Billy Pilgrim
bpilgrim1979 at gmail.com
Sun Aug 21 22:48:19 EDT 2005
On 8/19/05, Chris Shiflett <shiflett at php.net> wrote:
> Aaron Fischer wrote:
> > If the session has expired such as in browser close or timeout, the
> > bookmarked page won't be a liability as the session id in the URL won't
> > find a matching session id on the server.
>
> The server doesn't know when the browser is closed, so that part's not
> right. It is true that a session timeout (on the server side) offers
> some protection against this type of accidental hijacking.
A bookmarked session id might not result in a hijacked session, but
it's not a good idea have session ids exposed and kept around like
that.
Consider another example: Someone is logged into a newspaper site and
sees an interesing article. The user copies the url (with session id)
and pastes it in an email to a friend. If the friend receives the
email quickly and the server has a long timeout, accidential session
hijacking could occur.
The primary reason to have a session id in the url is if the browser
doesn't support cookies, right?
More information about the talk
mailing list