Question : Session #80
Comments
|
As long as there is issue #69 open, the generated session ids are sort of predictable anyway. But then: The IP address should not go into anything - this information is designed to change over time. The user agent? Probably a valid info, but also not very secret - if I would be an attacker, I would try to copy the original request as closely as possible. Session security is most impacted by predictable session ids. And insecure unencrypted communication. |
|
The program is not blindly believing in COOKIE variable. If you will see, the sessions are being checked in DB itself, whether its a valid sessionID or not. |
|
@SvenRtbg i guess it wont be that easy to solve then!? @rash805115 I did not explained correctly. When i said it was blindy believing (i know the the session_id is verified in the db), i was referring that if the cookie was hijacked theres was no other information to know if it was stolen, i suggested (IP and USERAGENT). From what SvenRtbg wrote it isn't also a viable solution as it can be tampered. |
While adding last_activity update in Session class, this following two function seemed strange:
Session:newSession()
-Isn't there a possibility that randstr could create an already existing session_id, it could trigger a collision?
Session:existingSession()
-This function is blindly believing in $_COOKIE["SESSIONID"], is it not better to store some additional info with the session (IP, USERAGENT, ...) to try to mitigate Session/Cookie Hijacking?
What do you guys think?
The text was updated successfully, but these errors were encountered: