bug? #1

Open
brothertao opened this Issue Oct 20, 2011 · 5 comments

Projects

None yet

2 participants

@brothertao

if a user was authenticate;and then use the session id with another user name.the bad thing happen

@videlalvaro
Owner

Mm…… I don't understand. And keep in mind this is an experiment. So you probably want to take it as a starting point.

@brothertao

if i get a authed session_id,(i am a register user on your site).
and now I use the session id with a different user name . For example: to use a user name admin who have the all privileges for the URL:5280/admin.
Then I get all the privileges of the ejabberd server .
or I can user some other user name if I want

@videlalvaro
Owner

Well that's a common issue with PHP and knowing the session_id. If you can spoof that then you can impersonate other users. You need to add some extra mechanics to prevent that.

@videlalvaro
Owner

Maybe I will add a note to the README of this project so people is aware of this issue. Thanks for bringing it up.

@brothertao

yes,i think i must check the user name with the session id


Just to try

On Thu, Oct 20, 2011 at 5:36 PM, Alvaro Videla <
reply@reply.github.com>wrote:

Well that's a common issue with PHP and knowing the session_id. If you can
spoof that then you can impersonate other users. You need to add some extra
mechanics to prevent that.

Reply to this email directly or view it on GitHub:
#1 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment