There is another way to see PHPSESSID without working so hard.
Go here:
https://50.97.137.52
Accept security exceptions.
Enjoy.
Topic: PHPSESSID showing in URL field (Read 3229 times)
Ok then, I'm just paranoid 
Also, might it not get transferred in the referrer?
Most browsers don't send referrers for HTTPS sites.
Yes, I wasn't thinking about mitm-attacks, more like that it's visible on the screen, and also that people might be posting links including their session id. Example: https://bitcointalksearch.org/topic/m.703356
Also, might it not get transferred in the referrer?
I'm getting this with cookies enabled..
Also, might it not get transferred in the referrer?
I'm getting this with cookies enabled..
Using firefox:
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899
Feels like a potential security risk to me, might be hard to exploit but anyway...
Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899
Feels like a potential security risk to me, might be hard to exploit but anyway...
Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.
Hi, this is not an security issue. The easiest way to replicate this is to disable cookies, which then the forum software tries to have your session id stored through a query string to maintain a stateful browsing experience.
If you have cookies enabled, the session id will be stored in the header "Cookie" which gets passed every request you make. From a security standpoint, this makes no difference as the session id is passed either way, whether you do or do not have cookies enabled.
Plus, your connection to the forum is encrypted, improbable for a man in the middle attack to steal your session id and login as you.
That's hardly a security issue since it gets transmitted with HTTPS.
Using firefox:
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899
Feels like a potential security risk to me, might be hard to exploit but anyway...
Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.
go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899
Feels like a potential security risk to me, might be hard to exploit but anyway...
Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.
Jump to: