Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
On this page it says
The
htmlspecialchars()may be used when printing the SID in order to prevent XSS related attacks.
What possible attack can someone do if you print the SID without using htmlspecialchars() ?
The session ID can only contain numbers and letters. Am I missing something?
Session ID is usually stored on the client (eg. in the cookie or in the
GETparams), so it can be altered – by some script or even by altering the URL.Now imagine someone that was able to alter the cookie and change
SIDto some JS code redirecting you to some other place. If you will print that value on your page unescaped, the user will be redirected every time unless he will clear the cookies or disable JavaScript.In other words, session ID is taken from the client and is unsecure (unless you will use additional mechanism ensuring it was not altered, such as cookie signing, included in eg. some PHP frameworks), so you cannot trust it does not contain something harmful.
This is the same reason you must not use this value as safe when constructing the SQL queries (so SID is also a place where SQL injection is possible).