in reply to Session Security

Is your browser accepting cookies? Are you retrieving the cookies correctly? It sounds more like a problem with the cookie handling in code. (But maybe you're right; I don't know specifics, only what you say.)

If you're truly worried about getting the session ID from packets, then using cookies isn't going to help at all (they're passed over the wire too on every request). The only thing that will help is using a secure connection (HTTPS). Putting the session ID in the URL makes it more accessible, but as long as you expire the sessions at a reasonable time (and give the user a way to force expiration), someone gleaning IDs from browser history or something shouldn't be much of a problem.

You could in your code limit a cookie you receive to the certain IP you assigned it to, but even that isn't failsafe as caching proxy servers, for example, only have one IP for multiple users.

Replies are listed 'Best First'.
Re: Session Security
by powerhouse (Friar) on Nov 20, 2003 at 03:31 UTC
    I Retrieve the cookie like this: 
    $_sessionid = cookie("sessionid");

    [download]
    I set it like this: (I'm using CGI's :standard) 
    $_s_cookie = cookie (-name => "sessionid",
        -value => $sessionid,
        -expires => "+1y"
        );
print header(-cookie => $_s_cookie,
-P3P=>"policyref=/w3c/p3p.xml");

    [download]

    It worked for a while, then it just quit working for some reason. It also works sometimes with some of our users.

    Then sometimes it does not work. Same pages, same coding.

    Just a strange thing, that I don't understand. The cookie ONLY contains the session id. Nothing else.

    thx,
    Richard
[reply]
[d/l]
[select]
      Try elminating the P3P policy and see if you still have the problem with cookies. I don't know much about P3P, but it probably isn't fully supported by all browsers. Do you really need it in the first place?
[reply]

In Section Seekers of Perl Wisdom