Why is this not a problem then? Because you can't reasonably guess another valid session id. After login, the session id is the only secret used by the user, equivalent to the userid+password for the session. (my case).īut still what if changed session id matches real session id of other user? Should I use some kind of fingerprinting (user-agent + ip) or encrypt session data with combined key of (user-agent + ip)?įor new session files being created, you already have the solution which is e-strict-mode.īut what about guessing another session id? You are totally right, if you can guess another valid id, you will be using that session, effectively impersonating its owner. Though it requires some extra steps when using with custom session handler. Update 1: First problem can be solved with e-strict-mode ini directive. How can I check that provided cookie sess id value is invalid so that I can call session_regenerate_id for example to set valid id and create appropriate file.Īlso, I am wondering if someone hypothetically renames cookie sess id to real session of another user will he get control? are there ways around this? If I modify value for key SESS cookie to be for example foo it will create new file in sessions folder with name sess_foo. Let's say I have a cookie with key SESS and value of md73i54kj98ti0uf8dftps2fa3 which is a valid session id and corresponding file sess_md73i54kj98ti0uf8dftps2fa3 exists in my session storage folder. I would like to know if i can prevent session id cookie malformation.
0 Comments
Leave a Reply. |