atom feed5 messages in com.googlegroups.professional-php[Pro. PHP Dev.] Re: Webapplication se...
FromSent OnAttachments
Mathieu MaesNov 26, 2008 10:28 am 
E.FransiscusNov 27, 2008 8:49 am 
Robert GonzalezNov 27, 2008 9:06 am 
Edgar da Silva (Fly2k)Nov 27, 2008 9:13 am 
Robert GonzalezNov 27, 2008 9:16 am 
Subject:[Pro. PHP Dev.] Re: Webapplication session security
From:Robert Gonzalez (
Date:Nov 27, 2008 9:16:33 am

No, especially if you forget to send the cookie as a secure cookie, which is a massive security hole that many developers forget about. HTTPS is meant for encrypting data to and from the server. Session data is just that, data. If you hijack a session you then become the user that the session should belong to. That means that you can see the things that only they should see and do the things that only they should do. You can still do that under HTTPS and still be hijacking someone's stuff.

On Thu, Nov 27, 2008 at 9:13 AM, Edgar da Silva (Fly2k) <> wrote:

Running your application under https isn't enough to protect the cookie contents?

2008/11/27 Robert Gonzalez <>:

Yes, mostly. Session data is stored in serialized fashion in a plain text file on the server. The access to that file is granted based on session id, which is set as a cookie on the client machine. The client needs to, in effect, tell the server which session to use, which is how sessions can become insecure.

On Thu, Nov 27, 2008 at 8:49 AM, E. Fransiscus <> wrote:

Doesn't session works on server side ?

----- Aprenda PHP, cole códigos, saiba das vagas de empregos:

-- Robert A. Gonzalez

--~--~---------~--~----~------------~-------~--~----~ This group is managed and maintained by the development staff at 360 PSG. An
enterprise application development company utilizing open-source technologies
for todays small-to-medium size businesses.

For information or project assistance please visit :

You received this message because you are subscribed to the Google Groups
"Professional PHP Developers" group. To post to this group, send email to To unsubscribe from this group, send email to For more options, visit this group at -~----------~----~----~----~------~----~------~--~---