July 28, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

PHP Session IDs Are Guessable

  • March 31, 2010
  • By Developer.com Staff

PHP Session IDs are supposed to random and impossible for a hacker to guess, but that's not the case says security expert Andreas Bogk.

Bogk "warns that, despite recent PHP improvements, the session IDs of users who are logged into PHP applications remain guessable," The H reported.

The problem is that PHP developers are seeding their random generator with a call to the "gettimeofday" function.

Upon examination of the PHP source code, Bogk said, "What we immediately notice is the lack of non-predictable entropy sources in the initial seeding."

Bogk recommends that the PHP developers brush up on their cryptography knowledge and read Bruce Schneier.


View Article



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel