PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

Session steganography idea

Note: This article was originally published at Planet PHP on 1 July 2010.
Planet PHP

Quick idea I had the other day. Session ID tokens are typically short strings of seemingly random characters. While they don't typically change all that much during a session, it's good practice to change the session ID every so often to help prevent against security attacks. If someone was to periodically change the session ID, and hide a short message in the ID values such that, when strung together, the message could be extracted, would that be a useful way of transmitting data in a hidden manner? I'm not sure of how much info you could reasonably hide in a series of short session IDs, but it seems like this would be possible.