jajtiii Posted February 7, 2008 Share Posted February 7, 2008 Greetings, I was looking through the logs on one of my apps and found where some hacker was trying the following : /index.php?PHPSESSID=[some foreign web address, like http://goodgirls.com] It appears that the PHP engine is not accepting this, saying that there are 'invalid characters in the session id', but I want to make sure that there is not some security loophole that I am not aware of. He cannot get my server to execute something on his server through the PHPSESSID, can he (or she)? many thanks, jones Quote Link to comment Share on other sites More sharing options...
Cep Posted February 7, 2008 Share Posted February 7, 2008 If the attacker can obtain a valid and active session ID to your server belonging to someone else they can assume that users identity and then perform any tasks which that user is allowed to perform. Simply replacing or adding data to the session id value (unless its a different valid sessionid!) in a GET clause (as this is what it looks like) is not something to worry about. Its actually less likely to be a "hacker" and more likely to be a spam bot or spider. Quote Link to comment Share on other sites More sharing options...
jajtiii Posted February 7, 2008 Author Share Posted February 7, 2008 Thanks That's a relief. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.