lalo Posted June 18, 2011 Share Posted June 18, 2011 I am trying to simulate a session fixation attack by appending the session identifier to the link: www.example.com/index.php?PHPSESSID=1234567890 where index.php is: <?php start_session(); print session_id(); // more code.... ?> and I can' t obtain the session_id 1234567890 What 's going on? Link to comment Share on other sites More sharing options...
HartleySan Posted June 18, 2011 Share Posted June 18, 2011 I trust that the double post was a glitch in the forum and not you double posting on purpose, right? Didn't mean to sound rude there. Anyway, all you need to do to get the number is access it via $_GET['PHPSESSID']. Also, no offense, but if you're not even able to do that, I don't know why you're worried about trying to simulate session fixation attacks. Link to comment Share on other sites More sharing options...
Stuart Posted June 19, 2011 Share Posted June 19, 2011 Also session.use_only_cookies is by default (5.2+) set to TRUE meaning passing a PHPSESSID in the URL will have no impact at all. Link to comment Share on other sites More sharing options...
Larry Posted June 20, 2011 Share Posted June 20, 2011 I also don't know if the session ID is validated to any degree. For example, actual session IDs are exactly 32 characters long and contain hexadecimal characters. Link to comment Share on other sites More sharing options...
Recommended Posts