|
From: <no...@so...> - 2002-05-31 14:48:25
|
Patches item #562924, was opened at 2002-05-31 14:27 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=562924&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Giancarlo Pinerolo (pingus) Assigned to: Nobody/Anonymous (nobody) Summary: Block auto-session and cookie-bypass Initial Comment: Hi, I've written a patch that will block anyone that tries to post a bogus session. I came to this choice through the following path: I hated the 'form' state in auth, that precluded the way to show a form anywhere and had the uncomfortable cacel_login button But I recognized that having this attribute of auth[uid] set to 'form' would guarantee that anyone had already got a session at least. You could not just post the login form. If the auth state (saved in session) was not 'form' that data would be ignored. But Then I thought that if you had a valid session, that meant the same: block direct posting of registration or login, by a script let's say. A valid session... And here I found the disgrace that it is extremely easy to obtain the session you like, even if cookies are on: just put it in the url (?Example_Session=bogus), and you can find it back, pass it over to someone else, and in the end steal a lot easier. Actually this is also the way PHP4 session work: if you have PHPSESSID=anything in the URL, it forces 'get' propagation and that session name!!! So I made this patch. It blocks the bogus session i URL, it prevents from forcing 'get' mode even if you have cookies enabled. I don't know hot to do the parallel for the native PHP4 session... I'd be happy if anyone tried it and give me a feedback. It can be varnished here and there.with an 'Invalid Session' page. This is a prototype, I tried it with Netscape under Linux. Giancarlo Pinerolo ---------------------------------------------------------------------- >Comment By: Giancarlo Pinerolo (pingus) Date: 2002-05-31 14:48 Message: Logged In: YES user_id=163488 How it works: jus before sending you looping through the Header:302 (the cookie test), after a new session string is created ,the session get created, a variable $validsession is registered in it and valued 'yes'. (there can be a better way, maybe cheching for some fingerprints of an existing phplib object...) When in 'get' mode (either by fallback or whatever), don't assume cookies are disabled: leave them anyway, they won't hurt. All this policy can be 'relaxed' in a particular extension of the session class, and code can be added so that in particuler pages you can adopt the policy as before. I just hope that if you like this, take a look at my other patch about a more clean and clear auth start method (no more auth[uid]=='form' nor mode==log/reg constraints), the reason why I went into this patch at first. ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=562924&group_id=31885 |
