Is their any way to hide sessions ID's from being sniffed?
+7
A:
Don't append the SID to the URL.
Use https.
(Set the httponly flag for the session cookie.)
VolkerK
2009-06-25 07:41:39
httonly = httponly cookie but I guess everybody understood that.
Alfred
2009-06-25 08:00:57
+1, I wasn't aware of the httponly flag
Paul Dixon
2009-06-25 09:13:39
I guess it depends on how you define "sniff", but Jeff blogged about the httponly flag a while ago, http://www.codinghorror.com/blog/archives/001167.html . Since I see no reason whatsoever for a client-side script to access the session cookie I set session.cookie_httponly in the php.ini to On
VolkerK
2009-06-25 09:48:20
+1
A:
If by "sniffed", you mean "sniffed by a man-in-the-middle attacker listening in on all the network traffic between server and client", the only sure way is to use https.
Whether you append the SID to the URL makes no difference: The SID is still sent as a cookie, and if you're not on HTTPS, that cookie is sent unencrypted.
httponly flag protects very nicely against XSS attacks - see the blog post VolkerK linked to - but not against sniffers
( ... if that is a verb)
You probably have to clearly define which kind of attacker you are trying to protect against to get more answers.
James
2009-06-25 10:57:16
VolkerK
2009-06-25 11:37:39
Yeah, that's why I was careful to define what "sniffed" usually means in a technical context first and point out the loose definition ... no offense meant. not appending the SID to the URL would help with general security, with problems of your SID appearing in the referrer field of someone else's logs, and also these days, for SEO purposes.
James
2009-06-25 15:01:45