session in URL

[birbal]

i want to work with URL instead of cookie for passing the session. i thought something like emdeding the id in url..catch it on every page and set session_id($idhere)1) i want to know the security vulnarablity of using URL embded session.2) how to secure those vulnabarity if it exist.3) is URL emdeding work on his own (i mean php will do it) or i need to call session_id() implcitly.(for assihning the session id)4) what is the best method to embded session in URL? SID constant or simply the session_name()=session_id()have doubt on these.need some info about this and corelated info of session configaration in php.inithank you.

[thescientist]

passing the SESSION? I'm not sure what you mean by that, or why would want to pass anything if you are using SESSION to begin with.

[jeffman]

A little info here. But as the manual says, cookies are optimal.There is no real security advantage or disadvantage, except that a session id can be seen by someone else in your vicinity if you are in a public space, so in that way a URL is slightly less secure. Cookie headers and URLs can be intercepted by packet sniffers equally well by a dedicated cracker.I cannot imagine wanting to use anything but the automated session mechanism.

[birbal]

passing the SESSION? I'm not sure what you mean by that, or why would want to pass anything if you are using SESSION to begin with.

no..my fault... i think actually i should say how could i pass session id? i mean by this " PHPSESID=ahu283kdapa0w2asd" i want to pass it in URL instead of cookies

[birbal]

A little info here. But as the manual says, cookies are optimal.There is no real security advantage or disadvantage, except that a session id can be seen by someone else in your vicinity if you are in a public space, so in that way a URL is slightly less secure. Cookie headers and URLs can be intercepted by packet sniffers equally well by a dedicated cracker.I cannot imagine wanting to use anything but the automated session mechanism.

thanks for the link...i read that but i am not getting how the URL embded session id will work. i mean when anyone click on a embded link...will the session id be passed andassigned as session id automticaly by php or i need to do that manually by something like "session_id($_GET['PHPSESID'])"? may be i am not unserstanding the matter but i cant find a brief text about that on php.net.and btw actually i am not looking for security advantages ...actually i want to do something like multi tabbed login. i mean one user can use more than one session. (same time one user can be logged in with different session) i was reading about it that cookies are reliable more than URL embdeding. So just want to confirm the threats ragrding this...as i did not handle it before.

[justsomeguy]

i mean one user can use more than one session.

In that case, surely you need to disable session cookies, altogether.Passing the session ID through the URL will be automatically handled by PHP, you don't need to manually set the session ID. You need to put the SID on the URL, but PHP should handle getting it when you use session_start. So you would need to set session.use_cookies and session.use_only_cookies to false and then add the session ID yourself to each URL.

[birbal]

In that case, surely you need to disable session cookies, altogether.Passing the session ID through the URL will be automatically handled by PHP, you don't need to manually set the session ID. You need to put the SID on the URL, but PHP should handle getting it when you use session_start. So you would need to set session.use_cookies and session.use_only_cookies to false and then add the session ID yourself to each URL.

ok..i did that..thank you for the helpbtw can you please tell me1) why SID evaluate empty string when it session.use_cookie and session.use_only cookies are ON?2) what is the purpose of session.use_trans_sid? i read the manual but i did not get the purpose of it.3) i am curious is there any way to do it with cookies? or URL embdeding is the only way.

[gar onn]

you can make a page with a (hidden) form and use JavaScript to submit it, and pass the sid that way, so you wont see the SID in your URL.So you have links wich set certain values of that form (like the action) and submit them

[birbal]

all are working as i was expecting..thanks for the helps jsg & all.but i am facing some problem herei am assighining $_SESSION['status']="guest" at the index.php (somesite.com).when a user logged in he got a update $_SESSION['status']="member"all are working fine..it is assighning a session as a guest . it is recongnising the user in further pages as guest or member (if he logged in or not).but i found a problem in the index page that if i use somesite.com/index.php?PHPSESID="someidhere1"it is assoghning the someidhere1 as a session id in further pages. i guess it was not intendedhow to fix that? need some helps

[birbal]

you can make a page with a (hidden) form and use JavaScript to submit it, and pass the sid that way, so you wont see the SID in your URL.So you have links wich set certain values of that form (like the action) and submit them

unfortunately i am not using any js. and i guess it will not work if js disabled. is not it?

[justsomeguy]

but i found a problem in the index page that if i use somesite.com/index.php?PHPSESID="someidhere1"it is assoghning the someidhere1 as a session id in further pages. i guess it was not intended

Did you completely disable session cookies? I thought you wanted it to change the session.

[vikrant]

I think you should encrypt your session id before passing aand pass it as token and validate it on every page where you want to pass it.I also dont know how to that but I feel its safe to do so.

[justsomeguy]

You can't encrypt it, PHP does not know to decrypt it when it sets the session ID. It uses whatever value was given to it.

[[dx]]

Depends what to do later with session id.You coud do index.php?session=326e48f654dead4419fa44726a126b7b and later when checking use:if ($_GET['session'] == md5("something:hash")) {Couse md5("something:hash") returns 326e48f654dead4419fa44726a126b7bYou can't add your secret work instead of "hash" and "something" can be your session id which sould be masked.

[birbal]

Did you completely disable session cookies? I thought you wanted it to change the session.

yes i diabled all.i wanted it to change the session on passing the session id..but not in the index page (where all user are assuming guest). cause if i pass the some session id in index page it is assigining. i think it is a security hole ...where user have a chance to manupulate desired (guessable) session id.where as after that page if someone pass any session (user manupulated) it will not be assgihned and it will show up the data of user depend on passed session id. if that session id dont match it will show some errors..and if matches then it will show up the data of that particual user who holds the session id.genraly when i use somesite.com...it shows like http://somesite.com/....but suppose i passed http://somesite.com/index.php?PHPSESID=&am...ssiondata"then its taking somesessiondata as session id in further pages..other than that all are working well..as far i can see..i want stop doing that in index page...i mean in index.php it should be independent from any passed session id..i am trying to do that..index.php will genarate different sessionid in every reload..btw i guess some session_regnerate_id() will work..though not sure..what to do now?i hope i am able to clear the problem..

[Synook]

Depends what to do later with session id.You coud do index.php?session=326e48f654dead4419fa44726a126b7b and later when checking use:if ($_GET['session'] == md5("something:hash")) {Couse md5("something:hash") returns 326e48f654dead4419fa44726a126b7bYou can't add your secret work instead of "hash" and "something" can be your session id which sould be masked.

Every client's session ID has to be different though, so you can't hard-code such a test into your PHP script. Anyway, as long as the SID is passed over non-encrypted HTTP a hacker can always just intercept the request and forge his own using the captured SID value - thinking of fancy server-side encryption schemes does nothing whatsoever to stop this.