[Phplib-users] Block auto-session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] Block auto-session
|
From: Giancarlo <gia...@na...> - 2002-05-31 14:28:26
|
Hi, I've written a patch that will block anyone that tries to post a bogus session. I came to this choice through the following path: I hated the 'form' state in auth, that precluded the way to show a form anywhere and had the uncomfortable cacel_login button But I recognized that having this attribute of auth[uid] set to 'form' would guarantee that anyone had already got a session at least. You could not just post the login form. If the auth state (saved in session) was not 'form' that data would be ignored. But Then I thought that if you had a valid session, that meant the same: block direct posting of registration or login, by a script let's say. A valid session... And here I found the disgrace that it is extremely easy to obtain the session you like, even if cookies are on: just put it in the url (?Example_Session=bogus), and you can find it back, pass it over to someone else, and in the end steal a lot easier. Actually this is also the way PHP4 session work: if you have PHPSESSID=anything in the URL, it forces 'get' propagation and that session name!!! So I made this patch. It blocks the bogus session i URL, it prevents from forcing 'get' mode even if you have cookies enabled. I don't know hot to do the parallel for the native PHP4 session... I'd be happy if anyone tried it and give me a feedback. It can be varnished here and there.with an 'Invalid Session' page. This is a prototype, I tried it with Netscape under Linux. The patch https://sourceforge.net/tracker/index.php?func=detail&aid=562924&group_id=31885&atid=403613 Giancarlo Pinerolo |
