rarebit Posted September 12, 2008 Share Posted September 12, 2008 is it overkill to issue a new session id when a user logs in as in to avoid 'session fixation' attacks Link to comment https://forums.phpfreaks.com/topic/123998-sessions/ Share on other sites More sharing options...
rarebit Posted September 16, 2008 Author Share Posted September 16, 2008 sort of diverting here, but i've just finished a new rss module, but i'm wondering of the hack potential. Say I run a site and can see and control the feeds requested, is it not feasible to spike the feed temporarily similar to xss... therefore should I be going back and covering all bases? Link to comment https://forums.phpfreaks.com/topic/123998-sessions/#findComment-643213 Share on other sites More sharing options...
redarrow Posted September 16, 2008 Share Posted September 16, 2008 rarebit, wouldnt it be better and safer to use session in a databese....... dont think it even possable to stop fixation attacks Link to comment https://forums.phpfreaks.com/topic/123998-sessions/#findComment-643216 Share on other sites More sharing options...
rarebit Posted September 16, 2008 Author Share Posted September 16, 2008 you stop it by changing (and nullifying) session id's at log in and out. But it's such a hard attack to achieve, i'm wondering if it's worth implementing (well back-tracking over numerous sites), also I was annoyed in the way i'd have to change logging. Because if I change the session id when log in and out, i'd still like to be able to track the 'whole' session as one user. I can only think of either adding a changed_to variable to existing log table, or to add another table entirely. Link to comment https://forums.phpfreaks.com/topic/123998-sessions/#findComment-643232 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.