Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m sending the session_id with the javascript. The session_id is visible in source of the page like:
function startUpload(id){
var queryString = '&' + $('#new_doc_upload').serialize() + "&session_id=" + "01dfda2def225bae907b129d2ffb1";
$('#fileUpload').fileUploadSettings('scriptData',queryString);
$('#fileUpload').fileUploadStart();
}
Is it ok that the session_id is visible or can is it a security issue?
Thanks.
I would argue that it’s perfectly fine. My rationale is that PHP sends it in clear text and so does the browser when you use sessions. Here’s what happens in the background when you make a web request:
As you can see, I made a GET request and the server response with
Set-Cookie: PHP_SESSID=followed by my session ID. Anyone that’s “sniffing” the request who would be able to see the session ID in the JavaScript would be able to get it from the headers too. The only thing to worry about would be things like malicious browser plugins and other exploits that are not likely but can be avoided by properly securing your code.I’d recommend that you look at http://phpsec.org/projects/guide/4.html for some tips and information on session hijacking.