Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- session id not in cookie if set by GET?
- Christian Welzel
February 6, 2010, 6:53 pm
rate this thread
today i tested a php application of my company against some
attacks (XSS, XSRF, Session Fixation, etc), and while trying
to set a fixed session id, i noticed, that php did not set the
session cookie, if i submitted the session id by GET.
I deleted my cookies and called http://www.mysite.com/?PHPSESSID=xxx
(where xxx was an valid id from a prior call). php did set all other
cookies, but not the one for PHPSESSID.
So i'm wondering if that is an intentional behavoir and if it is
decumented somewhere? Any thoughts of that?
MfG, Christian Welzel aka Gawain@Regenbogen
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
February 8, 2010, 7:36 am
Re: session id not in cookie if set by GET?
-----BEGIN PGP SIGNED MESSAGE-----
On 06/02/10 19:53, Christian Welzel wrote:
have a look here:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
-----END PGP SIGNATURE-----
- » detektive deutschland , privatdetektei , www detektiv de , detektivbueros , detektei , in...
- — Next thread in » PHP Scripting Forum