Session_id is visible in page source, is it ok?
I'm sending the session_id
with the javascript. The session_id
is visible in source of the page like:
function startUpload(id){
var queryString = '&' + $('#new_doc_upload').serialize() + "&session_id=" + "01dfda2def225bae907b129d2ffb1";
开发者_开发百科 $('#fileUpload').fileUploadSettings('scriptData',queryString);
$('#fileUpload').fileUploadStart();
}
Is it ok that the session_id
is visible or can is it a security issue?
Thanks.
It's okay. It's probably not ideal, but anyone interested in hacking your sessions will look for it in the other places you might have put it anyway (cookies, etc.), so you're not lowering the bar much if at all. (Java EE stuff does this as a fallback if cookies don't work, appending ;jsessionid=xxx
to every URL.)
The important thing is to ensure that it's difficult to hijack sessions, regardless of how the hacker got the session ID. (By binding the session to the source IP address and checking that at the server level on every request, using sane timeouts, and the various other techniques.)
I would argue that it's perfectly fine. My rationale is that PHP sends it in clear text and so does the browser when you use sessions. Here's what happens in the background when you make a web request:
> GET / HTTP/1.1
Host: example.com
Accept: */*
< HTTP/1.1 200 OK
< Date: Tue, 12 Jul 2011 07:00:26 GMT
< Server: Apache
< Set-Cookie: PHP_SESSID=2873fd75b29380bc9d775e43e41dc898; path=/; domain=example.com; secure
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Vary: Accept-Encoding
< Content-Length: 5538
< Content-Type: text/html; charset=UTF-8
As you can see, I made a GET request and the server response with Set-Cookie: PHP_SESSID=
followed by my session ID. Anyone that's "sniffing" the request who would be able to see the session ID in the JavaScript would be able to get it from the headers too. The only thing to worry about would be things like malicious browser plugins and other exploits that are not likely but can be avoided by properly securing your code.
I'd recommend that you look at http://phpsec.org/projects/guide/4.html for some tips and information on session hijacking.
I recently did this while working on a google earth plugin project. It didn't use the browser's cookies so I had to pass session variables in the url with javascript which grabbed it from the html. There are no security issues.
i think it is not severe issue but still is not properly coded.one should not let anyone know ids if possible.From your code it looks like you have encoded your id.you should add some more info in your encoding to make it more secure.
for an example one can easily decode "encode(15)" but it is very difficult to decode "encode('php is great'.15.' codint language')";
No, I don't think it's ok. You're making the session_id easily accessible, which in turns makes session-hijacking attacks very easy (and likely).
If you need the session_id, there are some methods to mitigate the possibility of session hijacking, consider regenerating the session_id after the upload, or having a secondary check to validate the user.
If you're trying to prevent unauthorized uploads, I'd consider something a little different - perhaps generating a one-time unique string of characters that is associated with the user for the duration of the upload, but not the session_id itself. Too much risk in that, IMO.
精彩评论