| Transfering sessions across domains |
[eluser]simshaun[/eluser]
The problem with that is all it would take to spoof "logging in" to someone else's account is to know their secret key. The secret key is not "invisible" to the user if they want to see it. Because it's not invisible to them, it's also not invisible to someone that's got access to his or her computer. For example, I gain access to a person's computer and sit there with a tool that catches all HTTP headers. Person goes to the website and logs in, which forwards them somewhere else with their secret key in the url. Presto, that url pops up in the HTTP headers and I now have the secret key. I copy/paste the url into my browser and I'm now logged in. .... That's also the problem with having the session_id in the url.. session hi-jacking. That's why you should regenerate session ids. Read All of This: http://phpsec.org/projects/guide/ |
| Messages In This Thread |
|
Transfering sessions across domains - by El Forum - 11-17-2008, 09:32 AM
Transfering sessions across domains - by El Forum - 11-17-2008, 10:29 AM
Transfering sessions across domains - by El Forum - 11-17-2008, 12:26 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 05:58 AM
Transfering sessions across domains - by El Forum - 12-30-2008, 10:44 AM
Transfering sessions across domains - by El Forum - 12-30-2008, 11:47 AM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:19 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:30 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:42 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:45 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:54 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:57 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 01:58 PM
Transfering sessions across domains - by El Forum - 12-30-2008, 02:02 PM
Transfering sessions across domains - by El Forum - 12-31-2008, 07:28 AM
|
