Use $_POST variables to transmit session id?

[masonbarge]

Does anyone know (or want to speculate) about using a post-method form with hidden variables to transmit a session id?

I'm thinking that this might be a good way to transmit a session id without requiring the user to allow cookies (which seem to be getting iffier), but with a decent degree of security. If, that is, you don't require much in the way of navigation.

Here's the concept. When the user logs in, pass the session id to a form, and use submit buttons for links with the session id as a hidden input. E.g.

PHP: Select all

<form id="indexform" method="post" action="./sensitivepage.php">
    <div class="formrow"><input type="hidden" name="sessid" value="<?php
 echo $sessid; ?>" />
    <input type="submit" class="foo" name="bar" value="Go to the
 Sensitive Page" />
    </div>
</form>

Then at the top of 'directory.php' handle the form, extract the session id as $sessid, set it, and call the session.

Am I missing something huge? The only flaw I can see is that it would become unwieldy for more than a couple of pages.

[Donny Bahama]

Why is that any better than

Code: Select all

<form id="indexform" method="post" action="./sensitivepage.php?sid=<? echo session_id(); ?>">

?

I can still view source and see the value of your hidden input if I really want to get at the sid. I guess you could encrypt/decrypt it, but you could do that passing it in the querystring as well.

[masonbarge]

Bah. No idea really. I'm running on the assumption that it's always safer to bury a variable in the header than to display it in the url.

[Donny Bahama]

Sometimes less secure is more secure... consider "hiding it in plain sight"... Instead of using "sid=" to pass the sid in the url, use "lang=", and set the session ID to something like "0409" or "useng". All the handling for that will be done server side anyway.

I dunno, I'm sure there are significant flaws to that idea, but it's a creative approach that would probably confuse "the bad people" for a while at least.

[Donny Bahama]

Actually, now that I think about it, if you're going to set the SID to something specific, you don't even have to pass it.

[grahame]

Using $_POST and a single hidden field which is the name of a unique session file on the server is a good technique that will work irrespective of cookies. It would, however, be a bad idea to send out all the actual data within hidden field(s) as the geek user could then amend that data before sending it back up.

Note that $_POST will only work if as user browses directly from one page to another and NOT if the goes off to other things and wants to then come back and carry on his session. However, it does not leave a cookie footprint.

I've had a system (written in Perl, so not $_POST) using posted hidden fields running for many years for one of my customers - they use it for time card entry and think it's fabulous because they can all share a PC and each enter their own data with no danger of it being assigned to the wrong person because of old cookies. Also lets them use the data entry even from internet cafes with questionable browser security!

[masonbarge]

Quote:

Originally Posted by Donny Bahama

Actually, now that I think about it, if you're going to set the SID to something specific, you don't even have to pass it.

Nah, just a regular random sid. Using a specific sid is a bit wilder than putting it in a POST variable . It certainly has possibilities since you're usually making a sql query anyway.

Since I posted this, I've bumped into it in a couple of places. It's more common than I thought after I first "invented" it.

[masonbarge]

Quote:

Originally Posted by grahame

I've had a system (written in Perl, so not $_POST) . . .

Which brings up a tangential question about my personal study.

I have four books in line, all of which look pretty good: Apache, Javascript, XSLT, and Perl. Any advice on which to do first?

*I know some javascript but not enough to really write much code.
*Apache I think I need -- I'm completely lost on shell commands and configuration -- but I don't manage my own server and I no longer have LAMP onboard.
*XSLT, mostly just want it for Ajax and because it's so cool, I'm not creating a feed or anything.
*Perl I don't know anything about, I may not even need it. I do use Perl-flavored regex.

[Accurax]

i tend to use a mixture of methods, some of my variables go into the url, some as sessions... and i occasionally use hidden fields.

Using just one method seems less secure than a mixture to me .... but that might just be my squinty eyes.

[Donny Bahama]

What exactly are the security implications wrt the sid? Is it just to do with any sensitive data that might be set in a session var? (But surely it would only be that particular user's sensitive data?)