Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: PHP session management
From: Gavin Zuchlinski (gzuchlinskipgsit.org)
Date: Sun Oct 26 2003 - 10:46:01 CST
On Sunday 26 October 2003 09:06 am, you wrote:
> This isn't really a problem to bypass. If someones got local access,
> it's likely they will have access to some sort of webfolder, wether that
> be a virtualhost, or homedirs(www.foo.com/~username), you can easily
> access the information stored in the session with a script like this:
Just to throw this out in the air, if you would create a directory that was
readable and writeable only to apache cookies could be (semi)securely stored
there. Then using safe mode and openbasedir writing a script to find the file
names wouldnt work. All this assumes that PHP is the only scripting language
though. So what it would come down to is a cross site scripting like attack
using the what Tommy Gildseth mentioned.
Alright, now poke holes in my idea.