jajtiii Posted February 7, 2008 Share Posted February 7, 2008 Greetings, I was looking through the logs on one of my apps and found where some hacker was trying the following : /index.php?PHPSESSID=[some foreign web address, like http://goodgirls.com] It appears that the PHP engine is not accepting this, saying that there are 'invalid characters in the session id', but I want to make sure that there is not some security loophole that I am not aware of. He cannot get my server to execute something on his server through the PHPSESSID, can he (or she)? many thanks, jones Link to comment https://forums.phpfreaks.com/topic/89909-phpsessid-security-problem/ Share on other sites More sharing options...
Cep Posted February 7, 2008 Share Posted February 7, 2008 If the attacker can obtain a valid and active session ID to your server belonging to someone else they can assume that users identity and then perform any tasks which that user is allowed to perform. Simply replacing or adding data to the session id value (unless its a different valid sessionid!) in a GET clause (as this is what it looks like) is not something to worry about. Its actually less likely to be a "hacker" and more likely to be a spam bot or spider. Link to comment https://forums.phpfreaks.com/topic/89909-phpsessid-security-problem/#findComment-460860 Share on other sites More sharing options...
jajtiii Posted February 7, 2008 Author Share Posted February 7, 2008 Thanks That's a relief. Link to comment https://forums.phpfreaks.com/topic/89909-phpsessid-security-problem/#findComment-460943 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.