On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com <dave@widepixels.com> wrote:
Right on.In my app nothing is passed in the url all my non-private areas are like /manage/profile or /manage/account as everything related to the user is obtained by auth ID of the logged in user and getting the info based on that.So i was just wondering if someone did get the session, how would they do it and ways to prevent it.ThanksDave
From: Bert Van den Brande [mailto:cyruzb@gmail.com]
Sent: October-03-09 6:40 PM
To: cake-php@googlegroups.com
Subject: Re: Session / SecurityI'm no expert on the subject, but I think session can be hijacked by :
* 'stealing' a sessions id from the url. This is only possible if the user browser doesn't use cookies so the session id is visible in the url
* stealing a session cookie
In either cases, logging the user's ip would increase security imho.
I'm interested in other opinions :)
On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com <dave@widepixels.com> wrote:
Not quite sure how this works but how does one steal a session?I have my session info stored in the database... if i added ip to the session so it also checks that the session ip matches the user ip would that increase the session sucurity? What a safe guards / good practsise to secure session data?ThanksDave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment