RE: FN-FORUM: dB growth

date posted 22nd September 2006 10:22

You wouldn't be storing the session ID in the database, rather the session
data at the server end would contain the company ID. Besides, a properly
coded system would guard against SQL injection attacks (i.e. check that the
form fields contain only data and not SQL commands).

Dave.

__________________________________________________
Dave Boulden, Director. DA Media Limited
web: http://www.da-media.co.uk/
Tel: 01795 559456 Fax: 07092 011488




> -----Original Message-----
> From: [EMAIL REMOVED] [EMAIL REMOVED] On
> Behalf Of [EMAIL REMOVED]
>
>
> Dom,
>
> Sorry for appearing thick here security is obviously not my job.
>
> How do you use the encrypted session id to stop someone
> re-setting their company id, presumably I could use something like
>
> Set session("company_id")=nn where
> sessionid=01c4234c1f70a20aa90c9d78358c5472
>
> Bit of trial and error or using one of those terrifying tools
> they keep frightening me with at DDD days and I'd have the
> basic information needed to reset the appropriate variable to
> access another client's data.
>
> As I said I'm no security expert, just trying to learn/help.
>
> John
>
> -----Original Message-----
> From: [EMAIL REMOVED] [EMAIL REMOVED] On
> Behalf Of Dom Latter
> Sent: 21 September 2006 15:15
> To: Anslow, John
> Subject: Re: FN-FORUM: dB growth
>
>
> On Thursday 21 Sep 2006 1:18 pm, [EMAIL REMOVED] John wrote:
> > 1. set session("company_id")=someone else's company_id
>
> Session variables are keyed to the session ID and stored on
> the server, not the client. The session cookie looks like this
>
> Name PHPSESSID
> Value 01c4234c1f70a20aa90c9d78358c5472
> Host www.regalaunaexperiencia.es
> Path /
> Expires At End Of Session
>
> Reckon you can hack a 128 bit number?
>