Comparing revisions for StayingLoggedIn
- [11251] 2005-10-03 18:29:10 by GiorgosKontopoulos (unregistered user) [added session likage bug]
- [11300] 2005-10-07 14:32:13 by NilsLindenberg (unregistered user) [possible bug moved to WikkaBugs]
Additions:
==Maybe a security risk if staying logged in/or while browsing==
if you don't log out, then with a simple
echo "<PRE>_REQUEST =";print_r($_REQUEST)."</PRE>";
you can see the user's username and pass (md5'ed of course)
_REQUEST =Array
(
[skin] => xxxxxx.css
[PHPSESSID] => xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[wikka_user_name] => xxxxxx
[wikka_pass] => xxxxxxxxxxxxxxxxxxxxxxxxxx
)
I think this is called a session likage, anyone knows of a solution to this.
Perhaps a solution to this would be changing the name of the session that a particular wikka installation uses,
The name could be a random number/word passed from md5 this way its unique to each wikka installation.
Also changing the path that the session data are stored maybe helpful. (I have seen discussions on this I think on php.net session_name() or session_start() )
I don't really know the implications of this bug are (maybe its not even a bug), perhaps people can see the session data on shared hosts and that is really what concerns me.
-GiorgosKontopoulos
if you don't log out, then with a simple
echo "<PRE>_REQUEST =";print_r($_REQUEST)."</PRE>";
you can see the user's username and pass (md5'ed of course)
_REQUEST =Array
(
[skin] => xxxxxx.css
[PHPSESSID] => xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[wikka_user_name] => xxxxxx
[wikka_pass] => xxxxxxxxxxxxxxxxxxxxxxxxxx
)
I think this is called a session likage, anyone knows of a solution to this.
Perhaps a solution to this would be changing the name of the session that a particular wikka installation uses,
The name could be a random number/word passed from md5 this way its unique to each wikka installation.
Also changing the path that the session data are stored maybe helpful. (I have seen discussions on this I think on php.net session_name() or session_start() )
I don't really know the implications of this bug are (maybe its not even a bug), perhaps people can see the session data on shared hosts and that is really what concerns me.
-GiorgosKontopoulos
