Skip to main content

Session hijacking

One of the problems with sessions is that, by default, they rely on the use of a cookie to work properly. When a session is started, it sends a cookie that resides in the user's Web browser. Every subsequent page that calls session_start() makes use of the cookie, which contains the session name and ID, to know to use an existing session and not to create a new one. The problem is that users may have cookies turned off in their Web browser or may not accept the cookie because they do not understand its purpose. If this is the case, PHP will create a new session for each page and none of the registered variables will be accessible.

You can use sessions without cookies by passing along the session name and ID from page to page. This is simple to do, but if you forget to pass the session in only one instance, the entire process is shot.

To pass the session name from page to page, you can use the SID constant, which stands for session ID and has a value like session_name=session_ID. If this value is appended to every URL within the site, the session will still work even if the user did not accept the cookie.
After the redirection (header()) line to be

header("Location: http://" . $_SERVER['HTTP_POST] . dirname($_SERVER['PHP_SELF']) ."loggedin.php?" .SID);

The addition of ? and SID to the redirect will add ?session_name=session_ID to the URL, effectively passing the session ID to the loggedin.php script.

If you copy the URL from the browser and paste it into another browser. You can still log in the Web site. This is called session hijacking and one of the reason to rely upon cookies whenever possible.

(PHP and MySQL for Dynamic Web Sites, Visual Quickpro Guide (2003, Larry Ullman, Peachpit Press))
PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide
PHP for the World Wide Web, Third Edition


Popular posts from this blog

How to Input Phonetic Symbols (IPA) in Google Docs

You can insert special characters by clicking "Insert" on the menu, then click the "Ω Special Characters", the choose "Latin" category from the drop-down menu, and then Phonetics (IPA) sub-category. Insert Special Characters in Google Docs There is a short-cut for inputting some IPA symbols which you use them frequently. Automatic Substitution in Google Docs similar to Auto Correct in MS Word. You can replace common acronyms, misspellings and other symbols. So you can set auto-replace for your IPA symbols, for example, "e<" for "ɛ", "o/" for "ø", "o>" for "ɔ" etc. Automatic Substitutions in Google Docs

Virgin Media Netgear Wireless Router Username and Password

As Virgin Media customer, if you find your wireless router is Netgear, then you may type the router's setup URL into a web browser address bar. is the default Netgear router IP address. will work for some Netgear models. Mine setup URL is . Then you are required to enter a username and password. If you haven't change the default setting, it is "virgin" and "password", you may find that on a label stuck on the router. This default username and password of Virgin Wireless router is different from that of the normal Netgear router. The default username of Netgear is admin and the password is either password or 1234. Then you open the configure interface, change the settings, such as change your DNS server to OpenDNS . For a normal Netgear router, if you forget the username and password, you can reset and restore the NETGEAR device to factory default settings. But I couldn't find any button on

How to stop Freenet?

How to stop or temporally shutdown Freenet? On Windows, you may find "stop freenet" in Freenet Tray. On Ubuntu, or other Linux system, go to your Freenet folder, run a command inside the terminal: FreenetUser@ubuntu:~/Freenet$ ls *.sh You can see command, have six options, one of them is to stop the Freenet: FreenetUser@ubuntu:~/Freenet$ ./ ? Usage: ./ { console | start | stop | restart | status | dump } FreenetUser@ubuntu:~/Freenet$ ./ stop Stopping Freenet 0.7... Waiting for Freenet 0.7 to exit... Stopping Freenet 0.7... Stopped Freenet 0.7. This is how you to stop the Freenet on Ubuntu.