2

Is their any way to hide sessions ID's from being sniffed?

2 Answers2

7

Don't append the SID to the URL.
Use https.
(Set the httponly flag for the session cookie.)

Community
  • 1
  • 1
VolkerK
  • 95,432
  • 20
  • 163
  • 226
  • httonly = httponly cookie but I guess everybody understood that. – Alfred Jun 25 '09 at 08:00
  • I guess it depends on how you define "sniff", but Jeff blogged about the httponly flag a while ago, http://www.codinghorror.com/blog/archives/001167.html . Since I see no reason whatsoever for a client-side script to access the session cookie I set session.cookie_httponly in the php.ini to On – VolkerK Jun 25 '09 at 09:48
1

If by "sniffed", you mean "sniffed by a man-in-the-middle attacker listening in on all the network traffic between server and client", the only sure way is to use https.

Whether you append the SID to the URL makes no difference: The SID is still sent as a cookie, and if you're not on HTTPS, that cookie is sent unencrypted.

httponly flag protects very nicely against XSS attacks - see the blog post VolkerK linked to - but not against sniffers

( ... if that is a verb)

You probably have to clearly define which kind of attacker you are trying to protect against to get more answers.

James
  • 3,265
  • 4
  • 22
  • 28
  • "Whether you append the SID to the URL makes no difference" - yes, I was using the term "sniffing" _very_ loosely and thought about something like copy&pasting the url to an IM or XSS attacks. – VolkerK Jun 25 '09 at 11:37
  • Yeah, that's why I was careful to define what "sniffed" usually means in a technical context first and point out the loose definition ... no offense meant. not appending the SID to the URL would help with general security, with problems of your SID appearing in the referrer field of someone else's logs, and also these days, for SEO purposes. – James Jun 25 '09 at 15:01