Imagine that you have a key for a vault in your bank. If you have the key
then you can get whatever is in the vault. The session ID works a bit like that.
However, your key for your vault can be stolen and similarly can the session ID
of your users (including you) be stolen or intercepted.
For the record, just because I used a vault/key analogy then it does not mean
that you should put secret or important data of some sort in your sessions.
Earlier we talked about XSS and I mentioned briefly that it could
be used to steal people's cookies. That is the most common way cookies are
stolen. This cookie could be PHPSESSID (or whatever you may have renamed
it to. When you steal a session ID and try to use it again it is called session
fixation. So. . . if you can get a valid session ID and that session is used for
something like authentication then you will essentially be logged in as that
user. Obviously that is not a good thing|especially not if the user is high
ranking with administrative privileges.
No comments:
Post a Comment