[FX.php List] PHP Session ID isn't restricted to HTTPS connections
Leo R. Lundgren
leo at finalresort.org
Wed Sep 15 10:49:29 MDT 2010
I'm just guessing, but could he refer to that your site doesn't force HTTPS? If so, a user could visit it via unencrypted HTTP and initialize a session there (in this example by logging in). This could impose a security risk because his session could be hijacked.
15 sep 2010 kl. 18.18 skrev Jonathan Schwartz:
> Hi Folks,
>
> Putting our security hat on now....
>
> "PHP Session ID isn't restricted to HTTPS connections"
>
> I received this feedback from an individual regarding a secure web form. I'm not really sure what it is referring to.
>
> Any help?
>
> Jonathan
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-|
More information about the FX.php_List
mailing list