RE: [PHP] Using cookies
This is a discussion on RE: [PHP] Using cookies within the PHP General forums, part of the PHP Programming Forums category; John W. Holmes <mailto:holmes072000@charter.net> on Tuesday, October 21, 2003 5:30 PM said: > Not ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-22-2003
|
|||
|
|||
RE: [PHP] Using cookies
John W. Holmes <mailto:holmes072000@charter.net>
on Tuesday, October 21, 2003 5:30 PM said: > Not a good method. If I get on your site and see my cookie has the > value 241757219 in it, I just need to subtract one from the number > and revisit your site. Now I'm the user who registered before me. > Using the rand() or uniqid() method above means I have to guess an > entire random number / character sequence, which is going to be > harder (or nearly impossible). But that would require that you register immediately after the person before you. Then you could compare the two numbers and figure out what the base number is, but that seems REALLY unlikely. Can you explain it a little different maybe? Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ 
|
|
10-22-2003
|
|||
|
|||
|
Re: [PHP] Using cookies
On Wednesday 22 October 2003 08:47, Chris W. Parker wrote:
> on Tuesday, October 21, 2003 5:30 PM said: > > Not a good method. If I get on your site and see my cookie has the > > value 241757219 in it, I just need to subtract one from the number > > and revisit your site. Now I'm the user who registered before me. > > Using the rand() or uniqid() method above means I have to guess an > > entire random number / character sequence, which is going to be > > harder (or nearly impossible). > > But that would require that you register immediately after the person > before you. Then you could compare the two numbers and figure out what > the base number is, but that seems REALLY unlikely. If I understand the original proposition correctly it doesn't really matter. You just make up some 'random' ids around the range of your own and you'll get to login as someone else. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* Mason's First Law of Synergism: The one day you'd sell your soul for something, souls are a glut. */
|
|
10-22-2003
|
|||
|
|||
|
RE: [PHP] Using cookies
--- "Chris W. Parker" <cparker@swatgear.com> wrote:
> > Not a good method. If I get on your site and see my cookie has the > > value 241757219 in it, I just need to subtract one from the number > > and revisit your site. Now I'm the user who registered before me. > > Using the rand() or uniqid() method above means I have to guess an > > entire random number / character sequence, which is going to be > > harder (or nearly impossible). > > But that would require that you register immediately after the person > before you. Then you could compare the two numbers and figure out what > the base number is, but that seems REALLY unlikely. > > Can you explain it a little different maybe? Well, never underestimate the persistence of the bad guys. They will try for hours and hours to guess a session ID, and if yours are sequential, they're much easier to guess than if they are random. This actually follows along the "no security through obscurity" rule. In addition to this, there are many other ways session IDs can be disclosed to the bad guy. So, eliminate the chances of a guess, but don't just stop there. Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp
|
Linear Mode
