Skip to main content

Session hijacking

One of the problems with sessions is that, by default, they rely on the use of a cookie to work properly. When a session is started, it sends a cookie that resides in the user's Web browser. Every subsequent page that calls session_start() makes use of the cookie, which contains the session name and ID, to know to use an existing session and not to create a new one. The problem is that users may have cookies turned off in their Web browser or may not accept the cookie because they do not understand its purpose. If this is the case, PHP will create a new session for each page and none of the registered variables will be accessible.

You can use sessions without cookies by passing along the session name and ID from page to page. This is simple to do, but if you forget to pass the session in only one instance, the entire process is shot.

To pass the session name from page to page, you can use the SID constant, which stands for session ID and has a value like session_name=session_ID. If this value is appended to every URL within the site, the session will still work even if the user did not accept the cookie.
After the redirection (header()) line to be

header("Location: http://" . $_SERVER['HTTP_POST] . dirname($_SERVER['PHP_SELF']) ."loggedin.php?" .SID);

The addition of ? and SID to the redirect will add ?session_name=session_ID to the URL, effectively passing the session ID to the loggedin.php script.

If you copy the URL from the browser and paste it into another browser. You can still log in the Web site. This is called session hijacking and one of the reason to rely upon cookies whenever possible.

(PHP and MySQL for Dynamic Web Sites, Visual Quickpro Guide (2003, Larry Ullman, Peachpit Press))
PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide
PHP for the World Wide Web, Third Edition

Comments

Popular posts from this blog

How to Input Phonetic Symbols (IPA) in Google Docs

You can insert special characters by clicking "Insert" on the menu, then click the "Ω Special Characters", the choose "Latin" category from the drop-down menu, and then Phonetics (IPA) sub-category. Insert Special Characters in Google Docs There is a short-cut for inputting some IPA symbols which you use them frequently. Automatic Substitution in Google Docs similar to Auto Correct in MS Word. You can replace common acronyms, misspellings and other symbols. So you can set auto-replace for your IPA symbols, for example, "e<" for "ɛ", "o/" for "ø", "o>" for "ɔ" etc. Automatic Substitutions in Google Docs

Virgin Media Netgear Wireless Router Username and Password

As Virgin Media customer, if you find your wireless router is Netgear, then you may type the router's setup URL into a web browser address bar. http://192.168.0.1 is the default Netgear router IP address. http://192.168.1.1 will work for some Netgear models. Mine setup URL is http://192.168.1.1 . Then you are required to enter a username and password. If you haven't change the default setting, it is "virgin" and "password", you may find that on a label stuck on the router. This default username and password of Virgin Wireless router is different from that of the normal Netgear router. The default username of Netgear is admin and the password is either password or 1234. Then you open the configure interface, change the settings, such as change your DNS server to OpenDNS . For a normal Netgear router, if you forget the username and password, you can reset and restore the NETGEAR device to factory default settings. But I couldn't find any button on

URL cannot contain a Google host

Google just opened up Knol to the public. Knol is also serving up AdSense advertising on the site. Authors on Knol can enter their AdSense data into Knol, and will get the regular AdSense payout for every click on an ad. This seems like a smart way to reward users who write the best (or most popular) content, while still making money for Google, because the cut Google already takes from the advertising through AdSense anyway. Currently, I don't know how may we track ads performance on knol, I tried to add an URL channel, and got error message: "http://knol.google.com/k/-/k3-searching-tv-programs-using-teletext/2p3t2lhf3x6sj/6#" at line 1 invalid: URL cannot contain a Google host. Has anybody any idea of how to do it?