Usually my system are templates and OOP based, so if you change the main function that handles the links... btw I dont know if you thought about this, in order to deny any kind of session fixation and X/CSRF (cross site forgeries) you better write down some $_GET forwarded token system ;) CSRF - a situation when 2 tabs / ie windows are open, and for instance, one of them is a shopping guide blog, and the other one is a shopping website, in case that the addition of items to the shopping card is validated by session, you can just call (with iframe and something like that) at the blog website to the adding form and submit the request, the item will be added cause of the active session at the next tab ;) the solution for this is using tokens (ask and ill explain). On 04/04/2008, Thiago Pojda <thiago.pojda@xxxxxxxxxxxxxxxxxx> wrote: > > -----Mensagem original----- > De: Nitsan Bin-Nun [mailto:nitsanbn@xxxxxxxxx] > > <snip> > The session.use_trans_sid setting automaticly adds > > > sid=**(32-chars-sess-id)** > > > to the url's of the website, > it should solve your problem > > </snip> > ME -> I added "session.use_trans_sid = 1" to the beggining of my php.ini > file and I don't see that sid parameter in any $_GET value. > > ME -> Nothing has changed, nothing. :/ > > ME -> Will I have to use url_rewrite()? Is that what Daniel was talking > about? > > try to use it if you have an access to php.ini otherwise, my suggestion is > to forward a compiled (coded or something like > that) <SNIP> you should > forward an compiled string that contains some crap like a md5 > of the user and pass with some salt and check the string at > each page (its can get hijacked quickly but this is out of discussion). > > ME -> That sounds good, but too much effort to rebuild all hrefs. The > system > is quite big for that. > > > sorry for going out of the topic > > i wrote that without any attention so im sorry for anything > that will misled you on the wrong direction, hope it helps, > > Nitsan > > ME-> That was not OT, and quite good to know :) > > > Thanks, > Thiago > > {As of now, I'm only going to top post :)} > > On 04/04/2008, Thiago Pojda <thiago.pojda@xxxxxxxxxxxxxxxxxx> wrote: > > > > De: Daniel Brown [mailto:parasane@xxxxxxxxx] > > Probably because of the fear of session hijacking and spoofing. > > The thing is, a handwritten cookie is just as effective for that, by > > changing the PHPSESSID (or equivalent). In any case, a 32-byte > > hexadecimal hash should be sufficient security for most sessions. > > > > </Daniel P. Brown> > > > > > > Yes, that's what they say. > > > > But anyway, adding that setting did not change a thing and I still > > can't see my sessid anywhere in my code. > > > > What will happen if I do it manually? Add the sessionid in a hidden > > input field in every form (I don't feel like doing it, but if I have > > to...) will do it? > > > > Sorry to be asking too much, but I can't seem to be able to test it > > and the docs are very poor for this. > > > > > > -- > > PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > > >
