Hiding Session Id

**subzero** · 27.01.09, 15:29

Nope lavalair is stuck with sid id it will show no matter what....

**metulj** · 27.01.09, 17:51

<div class='quotetop'>QUOTE (subzero @ Jan 27 2009, 04:29 PM) <{POST_SNAPBACK}></div>

Nope lavalair is stuck with sid id it will show no matter what....[/b]

not true..

**djdevil89** · 27.01.09, 18:10

<div class='quotetop'>QUOTE (metulj @ Jan 27 2009, 06:51 PM) <{POST_SNAPBACK}></div>

not true..[/b]

mod_rewrite

**Guest** · 27.01.09, 20:26

<div class='quotetop'>QUOTE (drwap @ Jan 27 2009, 06:10 PM) <{POST_SNAPBACK}></div>

mod_rewrite[/b]

How do you plan to use mod_rewrite to hide session id? :S

**alesh** · 27.01.09, 22:55

yeah mod_rewrite would do the job but theres easier way to protect ur session id with only few lines of code and then u cn give ur session id in public and they can do **** with it lol...

**alesh** · 27.01.09, 22:56

<div class='quotetop'>QUOTE (youngson @ Jan 27 2009, 09:26 PM) <{POST_SNAPBACK}></div>

How do you plan to use mod_rewrite to hide session id? :S[/b]

btw b4 tht kind of post, 1st c whts mod_rewrite... try google it

**Guest** · 27.01.09, 23:21

<div class='quotetop'>QUOTE (alesh @ Jan 27 2009, 10:56 PM) <{POST_SNAPBACK}></div>

btw b4 tht kind of post, 1st c whts mod_rewrite... try google it[/b]

Btw b4 tht kind of post, don't insult my intelligence like that. I know fine what mod rewrite is. You would know that if you read my posts. I currently have it enabled in the site I am making atm which you will find in the script testing forum.

**Guest** · 27.01.09, 23:25

<div class='quotetop'>QUOTE (alesh @ Jan 27 2009, 10:55 PM) <{POST_SNAPBACK}></div>

yeah mod_rewrite would do the job but theres easier way to protect ur session id with only few lines of code and then u cn give ur session id in public and they can do **** with it lol...[/b]

And I still fail to see what mod_rewrite can do to hide session id, as it needs it in the url somewhere so it can be passed along as a parameter. Hence why I asked how can you do that with mod_rewrite.

**djlee** · 28.01.09, 00:45

mod rewrite isnt the way forward ... look at what the user gives you to identify themselves .. erm browser ??? ip ??? just to name two .. so why not make those two things part of the authentication process.. if ($currentip != $storedip) then request re-login ... that would solve erm .. 99% of your script kidding session jacking .. the rest of the 1% .. well dont even trying to stop them cause even i can brute force ur ssh port into submission.. so the experts that make up that 1% wouldnt have a problem

**rukiya** · 28.01.09, 02:10

<div class='quotetop'>QUOTE (djlee @ Jan 28 2009, 01:45 AM) <{POST_SNAPBACK}></div>

mod rewrite isnt the way forward ... look at what the user gives you to identify themselves .. erm browser ??? ip ??? just to name two .. so why not make those two things part of the authentication process.. if ($currentip != $storedip) then request re-login ... that would solve erm .. 99% of your script kidding session jacking .. the rest of the 1% .. well dont even trying to stop them cause even i can brute force ur ssh port into submission.. so the experts that make up that 1% wouldnt have a problem[/b]

Ip & browser is definately the wrong way to login because both are varible. I would use cookies.

**djlee** · 28.01.09, 02:13

erm yh exactly .. variable .. and cookies arent the way to go unless you know what your doing .. and cookies store data .. much like session id's and therefore and n00b with a keyboard and create and destroy cookies on there own machine.

think about it .. IP .. erm your ip is locked to your account, in order for me to continue your session is to have the same ip address .. IP changes you gotta relogin .. and i dont kno the pass so i cant.

the whole point is to use dynamic variables.. 90% of static vars arent no good and they can be spoofed far too easily

**rukiya** · 28.01.09, 02:54

<div class='quotetop'>QUOTE (djlee @ Jan 28 2009, 04:13 AM) <{POST_SNAPBACK}></div>

erm yh exactly .. variable .. and cookies arent the way to go unless you know what your doing .. and cookies store data .. much like session id's and therefore and n00b with a keyboard and create and destroy cookies on there own machine.

think about it .. IP .. erm your ip is locked to your account, in order for me to continue your session is to have the same ip address .. IP changes you gotta relogin .. and i dont kno the pass so i cant.

the whole point is to use dynamic variables.. 90% of static vars arent no good and they can be spoofed far too easily[/b]

Thats problem for login if you use ip because if your current ip is different from your preview ip then you cant login anymore.

**djlee** · 28.01.09, 03:11

no if your stored ip and ur current ip is different then the session is deleted, then u need to relogin back in .. upon relogging in the script enters your new ip into the db and that becomes ur stored ip. therefore the hijacker needs ur password to login in order to reset the stored ip .. i really dont see the difficulty ur having in understanding this lol

**subzero** · 28.01.09, 04:04

mod_rewrite You will fail!

Only one way to hide session ID is to build a new script that use session the right way like mine script im making so loony script and youngson's script we all are best coders to think of session

Here some idea's

Code:

Login

$session[&#39;id&#39;]=session_id();
$session[&#39;sid&#39;]=$sid;


Sign up

session_start();
session_register("session");

Exit

session_unset();
session_destroy();

In config

error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);

Now see what you can do with this

Hiding Session Id

Hiding Session Id

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment