开发者

PHPSESSID appears in form arbitrarily

I have a login form written in PHP and each time I start the browser and go to the respective page, the first field of the form is this:

<input type="hidden" name="PHPSESSID" value="session_id_code" />

If I close the window, but I don't restart the browser, this doesn't happen. Any idea what's happening and why?

Thanks!


Form's code:

<?php
if (condition) {
?>
<form method="post" action="">
<dl>
<dt>Email:</dt>
<dd><input type="text" name="useremail" /></dd>
<dt>Password:</dt>
<dd>
<input type="password" name="userpass" /><开发者_如何学C;/dd>
<dt class="dt-buttons"><input type="submit" name="button_login" value="Login" class="button" /></dt>
</dl>
<input type="hidden" name="formkey" id="formkey" value="224ca00155w2fcda8906e1e40af03a71" />
</form>
<?php
}
?>

The form is simple HTML and is not dynamically generated.

EDIT2:

As I was saying, when I access the page for the first time after I started the browser, this thing happens. If I refresh the page afterwards, the hidden field doesn't show up.

Is it possible to have something to do with the SSL certificate? And if yes, why some pages/forms behave like this and some don't?


Sounds like you've got trans_sid enabled (transparent session id). Using trans_sid can be a security issue, especially if your site links to external content, or you allow link sharing - it lets a user's session ID leak out as part of the URL, meaning the session is highly vulnerable to hijacking.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜