|
From: <no...@so...> - 2002-05-31 14:27:11
|
Patches item #562924, was opened at 2002-05-31 14:27 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=562924&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Giancarlo Pinerolo (pingus) Assigned to: Nobody/Anonymous (nobody) Summary: Block auto-session and cookie-bypass Initial Comment: Hi, I've written a patch that will block anyone that tries to post a bogus session. I came to this choice through the following path: I hated the 'form' state in auth, that precluded the way to show a form anywhere and had the uncomfortable cacel_login button But I recognized that having this attribute of auth[uid] set to 'form' would guarantee that anyone had already got a session at least. You could not just post the login form. If the auth state (saved in session) was not 'form' that data would be ignored. But Then I thought that if you had a valid session, that meant the same: block direct posting of registration or login, by a script let's say. A valid session... And here I found the disgrace that it is extremely easy to obtain the session you like, even if cookies are on: just put it in the url (?Example_Session=bogus), and you can find it back, pass it over to someone else, and in the end steal a lot easier. Actually this is also the way PHP4 session work: if you have PHPSESSID=anything in the URL, it forces 'get' propagation and that session name!!! So I made this patch. It blocks the bogus session i URL, it prevents from forcing 'get' mode even if you have cookies enabled. I don't know hot to do the parallel for the native PHP4 session... I'd be happy if anyone tried it and give me a feedback. It can be varnished here and there.with an 'Invalid Session' page. This is a prototype, I tried it with Netscape under Linux. Giancarlo Pinerolo ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=562924&group_id=31885 |
