Code Forums - View Single Post

morpheuz · 07-16-2005, 01:13 PM

Thanks for all the responses.

I have another question. How does a session hijack work?

The membership script I'm running, doesn't show any session anywhere until you're logged in, so I assume a malicious user would have to join before damage could be attempted. I've tried copying the session of a created admin user, logging out, and then pasting the URL (to the admin area) in the address, but it redirects to the login page. If this is tried while logged in as a different user and I paste in the session of the admin user, I'm logged out and sent to the index. It appears that a hijack would only be able to take place with an active session, so deception would have to be implemented by a malicious user onto registered members to try to get a valid id no?

If there are other ways to do this other than the above logic, I'd like to know this as well.

Thanks again all.

07-16-2005, 01:13 PM	#8 (permalink)
morpheuz Code Monkey Join Date: Feb 2005 Posts: 64	Thanks for all the responses. I have another question. How does a session hijack work? The membership script I'm running, doesn't show any session anywhere until you're logged in, so I assume a malicious user would have to join before damage could be attempted. I've tried copying the session of a created admin user, logging out, and then pasting the URL (to the admin area) in the address, but it redirects to the login page. If this is tried while logged in as a different user and I paste in the session of the admin user, I'm logged out and sent to the index. It appears that a hijack would only be able to take place with an active session, so deception would have to be implemented by a malicious user onto registered members to try to get a valid id no? If there are other ways to do this other than the above logic, I'd like to know this as well. Thanks again all.