On Tue, Nov 08, 2005 at 11:32:33PM -0500, Ben Ramsey wrote: > On 11/8/05 10:27 PM, Tony Di Croce wrote: > > > >The sites are both physically located on the same machine. > > > >What if I encrypt the session_id, and put it in a "hidden" text input > >box in a form, that is delivered via POST to the other site. This way, > >the session id is passed, but it is encrypted? > > To me, it's not a question of whether the sites are physically located > on the same machine, and it's not a question of encrypting the session > id. Anyone who even knows the encrypted session id could then POST it to > the form in a replay attack, authenticating themselves as the intended > user. Also, hidden form fields aren't really "hidden." > > For me, it's a question of practice. I would not attempt to share a > session across to different domains. Even large sites (such as Yahoo) > don't seem to do this. > > Yahoo appears to maintain sessions across its subdomains, and, for this > reason, all Yahoo images are served from a completely separate domain > (yimg.com). None of the images served from yimg.com contain the cookie > headers associated with yahoo.com (and, thus, they are not associated > with any user sessions). There are two reasons (I know of) for doing > this: 1) bandwidth (less data passing across the HTTP headers), and 2) > it prevents CSRF attacks on Yahoo user accounts that could occur by > attackers serving images from a yahoo.com domain on other sites. 3) less headaches for the programmers for yimg.com Curt. -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
