|
From: <no...@so...> - 2002-06-03 00:39:21
|
Patches item #563700, was opened at 2002-06-03 00:39 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=563700&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Giancarlo Pinerolo (pingus) Assigned to: Nobody/Anonymous (nobody) Summary: Block user supplied session id and mode Initial Comment: This patch is instead of my previous one. Now I use to check if the sessio exists. It passed my tests. The creation of a new session is now dependent on a class variable: block_bogus_sid = true You ca always have it work as before by subclassing session in local.inc, and I suggest to use this subclas only in places you ca control it.. This was a gravious hole in PHPLIB, and PHP btw: let people force 'get' mode and create whatever session they like is a great security risk, a malware. ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=563700&group_id=31885 |
