How to steal a PHP session ?
Hi everyone,
Still working on optimizing a Zend application, I was looking for information on Zend_Session and I found this piece of article very interesting:
[…] an attacker can easily fix victim’s session ids, using links on the attacker’s website, such as
http://www.example.com/index.php?PHPSESSID=fixed_session_id. The fixation works, if the victim does not already have a session id cookie for example.com. Once a victim is using a known session id, the attacker can then attempt to hijack the session by pretending to be the victim, and emulating the victim’s user agent.
Source: http://framework.zend.com/manual/en/zend.session.global_session_management.html
Have a good week-end !
Posted on Saturday October 8th
About me
Software engineer from EPITA (Graduate School of Computer Science and Advanced Technologies), I created this blog to share my solutions to problems I encountered but also to give my thoughts about everything :)Feel free to contact me if you like !
