Maybe unexpected is that you can get this id not only by sniffing traffic but also with XSS by reading out the cookie and loading an image from another server. More surprisingly you can can even force a user to use a session id you already know by sending him a link with a id. The server recognise the id and keep using it. To prevent this just generate a new id during login using session_regenerate_id().
Like it? Share it!
Keine Kommentare:
Kommentar veröffentlichen