RE: Session / Security

Thanks for the links

I am on shared hosted server and found when reading

"If the cookie's path is set to '/' (the whole domain), then any website on
the same domain (might be lots of websites) _will_ get the cookie through
HTTP headers and could possibly hijack your session."

How can this be avoided in this a situation with shared hosting or not?

I have
Webroot/
public_html/
/app1
/app2

Dave

-----Original Message-----
From: mark_story [mailto:mark.story@gmail.com]
Sent: October-04-09 1:57 PM
To: CakePHP
Subject: Re: Session / Security

You also should read up on Session Fixation, Session hijacking, and

http://en.wikipedia.org/wiki/Session_fixation
http://en.wikipedia.org/wiki/Session_hijacking

Which kind of reference each other but you get the idea.

-Mark

On Oct 3, 5:39 pm, Bert Van den Brande <cyr...@gmail.com> wrote:
> You might want to read this
> :http://be2.php.net/manual/en/session.security.php
>
> On Sat, Oct 3, 2009 at 11:35 PM, Dave Maharaj :: WidePixels.com <
>
>
>
> d...@widepixels.com> wrote:
> >  Right on.
>
> > In my app nothing is passed in the url all my non-private areas are
> > like /manage/profile or /manage/account as everything related to the
> > user is obtained by auth ID of the logged in user and getting the
> > info based on that.
>
> > So i was just wondering if someone did get the session, how would
> > they do it and ways to prevent it.
>
> > Thanks
>
> > Dave
>
> >  ------------------------------
> > *From:* Bert Van den Brande [mailto:cyr...@gmail.com]
> > *Sent:* October-03-09 6:40 PM
> > *To:* cake-php@googlegroups.com
> > *Subject:* Re: Session / Security
>
> > I'm no expert on the subject, but I think session can be hijacked by :
> > * 'stealing' a sessions id from the url. This is only possible if
> > the user browser doesn't use cookies so the session id is visible in
> > the url
> > * stealing a session cookie
>
> > In either cases, logging the user's ip would increase security imho.
>
> > I'm interested in other opinions :)
>
> > On Sat, Oct 3, 2009 at 10:08 PM, Dave Maharaj :: WidePixels.com <
> > d...@widepixels.com> wrote:
>
> >>  Not quite sure how this works but how does one steal a session?
>
> >> I have my session info stored in the database... if i added ip to
> >> the session so it also checks that the session ip matches the user
> >> ip would that increase the session sucurity? What a safe guards /
> >> good practsise to secure session data?
>
> >> Thanks
>
> >> Dave

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---