[pmwiki-users] PmWiki session variables

Hans design5 at softflow.co.uk
Mon Jun 23 09:32:39 CDT 2008

Monday, June 23, 2008, 1:03:23 PM, Alexander Dietrich wrote:

> I recently turned my PmWiki installation into a farm, and came across the comment
> dealing with PHP session cookie names for preventing accidental privilege elevation.
> This got me thinking: if the only thing right now stopping a user from getting
> incorrect privileges on another field, couldn't a malicious user still exploit this
> by simply copying the session cookie value?

Yes, if it is possible to obtain the session cookie value, then a
malicious user can gain your own access privileges by setting a new
session cookie with that value. And no knowledge of user name and
password is needed.

But the malicious user would need to have access to the machine
to read the cookie, while the session is open, i.e. while you are
on the computer, have a browser running, and being logged in to your
wiki. Is that not similar to a security risk of letting someone have
access to your computer while you are working with it and allowing
malicious prying?

Another way to obtain session id data may be by traffic sniffing,
since the data sent back to th eserver is not encrypted. If you are
worried about this then you should use SSL.


More information about the pmwiki-users mailing list