The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
session_start();
$session_id = session_id();
?>
> Do you need globals on for that?
For session_id() ? No, don't think so.
> Why are you trying to post the PHPSESSID? You shouldn't need to
> because you can call it direct from PHP using:
Read his post again, as he said PHP does it. Default PHP behaviour is to add session ids to all GET/POST data when a session is started and an old one hasnt been detected.
> Read his post again, as he said PHP does it. Default PHP behaviour
> is to add session ids to all GET/POST data when a session is started
> and an old one hasnt been detected.
PHP won't add a tag to a form automatically. It'll append the session ID to a URL, but not add it to a form.
> PHP won't add a tag to a form automatically. It'll append the session
> ID to a URL, but not add it to a form.
From: http://uk.php.net/session
Session configuration option
url_rewriter.tags
url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src, form=fakeentry,fieldset=
The bit in bold is the important part, bottom line PHP will add session ids to a form submission.
Before you make assertions, doesnt hurt to look them up in the manual especially if you're contradicting something.
> The bit in bold is the important part, bottom line PHP will add
> session ids to a form submission.
> Before you make assertions, doesnt hurt to look them up in the manual
> especially if you're contradicting something.
Damn, sorry. My bad. I checked in the manual before I posted and I missed that bit! Sorry.
Does anyone know if this poses a security risk...? ie. could someone potentially 'steal' this session ID and then if the original user subsequently logs in, use that session ID to gain access to the login area...?
Just wondering, as I have no idea what potential risks this poses or what steps could be taken to prevent any exploitation of it...
Chars.
> Does anyone know if this poses a security risk...? ie. could someone
> potentially 'steal' this session ID and then if the original user
> subsequently logs in, use that session ID to gain access to the login
> area...?
Yes it is a security risk. How much of one it is open to debate.
Easiest option is to just force PHP to maintain session data via cookies only. You can use ini_set to turn session.use_only_cookies on I think.
Even so, that isnt 100% fullproof. There are other ways to obtain the session id and theres nothing to stop people spoofing cookies either.
A better option is to a) make sure your session data contains nothing important, ie passwords and b) provide additional levels of authentication so a session id is essentially not enough to identify a user.