I've written a patch that will block anyone that tries
to post a bogus session.
I came to this choice through the following path:
I hated the 'form' state in auth, that precluded the
way to show a form anywhere and had the uncomfortable
But I recognized that having this attribute of
auth[uid] set to 'form' would guarantee that anyone had
already got a session at least.
You could not just post the login form. If the auth
state (saved in session) was not 'form' that data would
But Then I thought that if you had a valid session,
that meant the same: block direct posting of
registration or login, by a script let's
A valid session... And here I found the disgrace that
it is extremely easy to obtain the session you like,
even if cookies are on: just
put it in the url (?Example_Session=bogus), and you can
find it back, pass it over to someone else, and in the
end steal a lot easier.
Actually this is also the way PHP4 session work: if you
have PHPSESSID=anything in the URL, it forces 'get'
propagation and that
So I made this patch. It blocks the bogus session i
URL, it prevents from forcing 'get' mode even if you
have cookies enabled.
I don't know hot to do the parallel for the native PHP4
I'd be happy if anyone tried it and give me a feedback.
It can be varnished here and there.with an 'Invalid
This is a prototype, I tried it with Netscape under