session_ stored variables

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Post Reply
korkakak
Posts: 2
Joined: Tue Jul 11, 2006 11:47 am

session_ stored variables

Post by korkakak »

I still believe that having session ID's in a viewable position for others may lead to information disclosure.

Shouldn't there be a thought in using session stored variables instead of plain SID's?

In my forum (2.x based) I have added some code in order to implement this feature and I am using functions like session_start etc to register some sensitive variables. Of course session settings have some other problems (eg a server's local user and the admin may view the session stored variables).

I wonder if there is a reason for storing SID in that way
Nikos

Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: session_ stored variables

Post by Cap'n Refsmmat »

Session IDs are only viewable if the client doesn't support cookies (the sid part of the URL is only used before the forum can determine if they do support cookies).

korkakak
Posts: 2
Joined: Tue Jul 11, 2006 11:47 am

Re: session_ stored variables

Post by korkakak »

I think that this is not exactly accurate with the massive usage of append_sid function over almost every url (urls that don't have the sid are just a pain in the a$$ inside the system)

Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: session_ stored variables

Post by Cap'n Refsmmat »

korkakak wrote: I think that this is not exactly accurate with the massive usage of append_sid function over almost every url (urls that don't have the sid are just a pain in the a$$ inside the system)

append_sid() doesn't append anything if it doesn't need to.

Post Reply