Skip to main content

Session hijacking

One of the problems with sessions is that, by default, they rely on the use of a cookie to work properly. When a session is started, it sends a cookie that resides in the user's Web browser. Every subsequent page that calls session_start() makes use of the cookie, which contains the session name and ID, to know to use an existing session and not to create a new one. The problem is that users may have cookies turned off in their Web browser or may not accept the cookie because they do not understand its purpose. If this is the case, PHP will create a new session for each page and none of the registered variables will be accessible.

You can use sessions without cookies by passing along the session name and ID from page to page. This is simple to do, but if you forget to pass the session in only one instance, the entire process is shot.

To pass the session name from page to page, you can use the SID constant, which stands for session ID and has a value like session_name=session_ID. If this value is appended to every URL within the site, the session will still work even if the user did not accept the cookie.
After the redirection (header()) line to be

header("Location: http://" . $_SERVER['HTTP_POST] . dirname($_SERVER['PHP_SELF']) ."loggedin.php?" .SID);

The addition of ? and SID to the redirect will add ?session_name=session_ID to the URL, effectively passing the session ID to the loggedin.php script.

If you copy the URL from the browser and paste it into another browser. You can still log in the Web site. This is called session hijacking and one of the reason to rely upon cookies whenever possible.

(PHP and MySQL for Dynamic Web Sites, Visual Quickpro Guide (2003, Larry Ullman, Peachpit Press))
PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide
PHP for the World Wide Web, Third Edition

Comments

Popular posts from this blog

How to Input Phonetic Symbols (IPA) in Google Docs

You can insert special characters by clicking "Insert" on the menu, then click the "Ω Special Characters", the choose "Latin" category from the drop-down menu, and then Phonetics (IPA) sub-category. Insert Special Characters in Google Docs There is a short-cut for inputting some IPA symbols which you use them frequently. Automatic Substitution in Google Docs similar to Auto Correct in MS Word. You can replace common acronyms, misspellings and other symbols. So you can set auto-replace for your IPA symbols, for example, "e<" for "ɛ", "o/" for "ø", "o>" for "ɔ" etc. Automatic Substitutions in Google Docs

How to stop Freenet?

How to stop or temporally shutdown Freenet? On Windows, you may find "stop freenet" in Freenet Tray. On Ubuntu, or other Linux system, go to your Freenet folder, run a command inside the terminal: FreenetUser@ubuntu:~/Freenet$ ls *.sh run.sh  update.sh You can see run.sh command, run.sh have six options, one of them is to stop the Freenet: FreenetUser@ubuntu:~/Freenet$ ./run.sh ? Usage: ./run.sh { console | start | stop | restart | status | dump } FreenetUser@ubuntu:~/Freenet$ ./run.sh stop Stopping Freenet 0.7... Waiting for Freenet 0.7 to exit... Stopping Freenet 0.7... Stopped Freenet 0.7. This is how you to stop the Freenet on Ubuntu.

Vodafone Router Configuration for Incoming Connection and other Services

This post is about specific Vodafone Home Broadband Router configuration for Incoming Connection and other service on your home computer. This is not a tutorial, and will not be going into details of the services and router configuaration, I just want to point out couple of points you need to pay attention to. 1. Port Forwarding. Vadafone Router has its own name for Port Forwarding, it's called Port Mapping under Port Management category.The picture below shows that I set up web server on my desktop, I map my local address on port 80; and I set up PPTP incoming connection by mapping local address on port 1723. Port Forwarding 2. Exposed Host. If you have set up Port Mapping, you still can't get what you want, then you have to put your device outside the Firewall, i.e. bypass Vodafone Connects (means Router) firewall, in a Demilitarised Zone (DMZ), using it's Exposted Host Function. Static NAT (Network Address Translation) means the Router will translate publi