Hiding Session Id

true but they'd still need a way to authenticate, just having the same ip wouldnt give someone access to a running php session. Personally since i dont code for wap i use a complex cookie system whereby using a subdomain of the site i can create virtually unsteabale cookies as the cookies are locked to the subdomain so only the system can access it, any xss code would be injected on the main domain and the browser would deny access to the cookie... simple idea, slightly complex code and probably the best unique way ive come up with for auth so far

locking to ip's is the most basic of authentication procedures, even top comercial sites from MS to google still use it as part of a larger security system so i doubt its the worst idea ever... problem is your looking for a way to suit everyone, that opens up a whole can of security issues, at what point do you draw the line and start to forfeit the odd user in order to protect the rest.

But there is a way around ip checking, allow the user to unbind there ip, if a user is in the situation where there ip changes frequently every few mins or so they can go to the profile and turn off ip checking (or make a request to staff if you make it a staff function), as long as you code in a fail safe so staff accts cant disable the ip protect you'll be fine since what use is another user account to a hacker?

What are the ways of hacking session id in lavalair anyway?

If its by user clicking links why dont you set up a redirection page. that strips the SID before getting sent to the other site?

<div class='quotetop'>QUOTE (youngson @ Feb 16 2009, 12:14 PM) <{POST_SNAPBACK}></div>so you can look into the session http://extremetracking.com/open;ref1?login=sharemob if you&#39;re chatting with your access and a link that will take you there and show that follows you into the session

ive hidden the session id in lava and it not with mod rewright

Make a credential-checking file: call it gate.cfm. To avoid confusion in case you've just browsed another ColdFusion site, delete cfid and cftoken cookies. In case you've been inside this application earlier, delete the "pass" cookie (you'll set later) as well. Enable session management with cookies turned off and permit idle time to be three minutes.


For this demonstration, replace database logic by simply pretending that the "Frank" login was validated and that the database says Frank has AccessLevel 5. Then concatenate the Application name and session ID to form a lock name that should only block another window of this same browser, copy cftoken to a variable that doesn't have to be locked, and store the UserId and AccessLevel in a memory structure for this session.

Use list functions to build a list of elements separated by spaces, urlEncode it to make its special characters safe, and encrypt the result as you store it in a cookie named "Pass". It's a bad idea to permit spaces in UserIDs anyway; this avoids problems in case someone wants to have a comma in a UserId [groan]. The random number just adds aggravation. It doesn't do much in this demonstration, but if you rearranged the pieces before (or after) encryption, it might make the string appear even more different from attempt to attempt.

Because this is a demonstration, you need a method to help you realize what the session Id was on the first page so you can see if the session retained its integrity between pages. Build a form to help with this task.

Build a Menu

This "menu", menu.cfm, merely contains the code needed to show that session memory can be accessed based on the contents of an encrypted cookie. (In real life, the available menu items would depend on AccessLevel.) Read the Pass, display it for educational purposes, and interpret it. When you interpret it, set url variables CFID and CFTOKEN based on the contents of Pass so ColdFusion will "resume" this session when you turn session management on.

Set session parameters as before, and read session memory. If for some reason the session does not contain a UserId and SessionLevel - perhaps the old session didn't restart after all - use cf try-catch combinations to avoid exposing the user to raw errors. Finally, display the desired and actual data.

:rolleyes:

modrewrite can mide the queries but to do session on each page u can do same result in cookies and its so easy

to login it changes guest to user

and to delete i use

</SPAN>

hmmm when u take credit for things it makes ppl not want to help becarefull what U claim U did.

I dont even see how it is possible that some1 can hack ur session id. they would physically have to see ur url to steal the sid.

REFERER -duh- or i can send a variable via Url and it excuted

yes i know that, but there would have to be a link to an external page in order for that to happen.

when you look at lava script... and how session is done..
you'll get idea how they still sessions...
you'll also get idea how simple protection against that is..:rolleyes:

i use more or less the same idea as lavalair i think. once the username and pass has been authenticated, i take the current unix time multiply it by 1st 3 digits of users ip. then convert to md5. then i use that as the session key on every page.

then if like what im guessing is default LL you pass the sid between pages in the GET header i simply find an xss hole in your site (there is one in a specific location on most LL sites that havent been security checked) and then use this that js file is then able to successfully forward the user to a php page on my site which notes the passed sid which the js file grabbed from the url prior to redirection, then forwards to back to the online user list or whatever thinking that the page just didnt load. (this was a POC, with a little messing i could have had it do all that and still display the page just fine).. i then simply send a message to the owner "hey check out my awesome sig/text/avatar/wateva in my profile, they view it, i grab their sid, jump on their account and commit mass deletion ofcourse since im using JS file with some playing and tweaking, since the JS runs client side and ur on the cookies domain before redirecton i could also steal any cookies stored too, so saving session ids to cookies is also a little bit unsecure, but its a lot more secure than other methods and with other security stuff in there saving sessions or even the uid/passhash to a cookie is perfectly fine

essay :yawn:


Your method is as long as your post lol

im not taken credit for what you gave me this was before you helped me when i was useing

now im useing a lil bit of what you gave me pluss what oris helped me on