[Phplib-users] cookie_mode, fallback_mode, security

[Giancarlo P. <gia...@na...>]

People that disable cookies know that they have to reenable them before
doing their home banking.

In fact the session mode=3D"cookie" combined with fallback_mode=3D"cookie=
"
and block_alien_sid setting will never, ever allow a SID to be forcedly
taken from a basically untrustable origin: the URL, that is user input.

The session manage of php4 had no possibility to block it, but I wrote
to Sascha Schumann and I got this patch what should add a
session.use_only_cookies to php.ini.

So I think this will take soon the session4 level of security to that of
the stable cvs branch.

I want to stress the importance of such a setting, and the fact that, as
php as been since session inception, there has been no way to setup php
NOT to give anyway priority to a SID in the URL.
This flaw could allow a whole series of stealth appropriation or
reappropriation of session statuses.

This is it

Giancarlo

> Hi,
>=20
>     I have now committed source for an additional option which enables
>     administrators to protect their users from this whole class
>     of attacks.
>=20
>     By enabling `session.use_only_cookies=B4, all data sources but
>     cookies will be disabled.  Attacks which rely on the ability
>     of passing session ids in URLs will become ineffective
>     immediately.
>=20
>     Please note that this class of attacks relies on social
>     engineering.  To the same extent, your users could be
>     manipulated to enter their credentials into a faked
>     login screen or make them available to the attacker through
>     alternative means.
>=20
>     The option `session.use_only_cookies=B4 has been committed to
>     the PHP CVS which means that it will be available with the
>     next PHP release.  You can upgrade existing PHP deployments
>     by applying this patch:
>=20
>     http://apache.org/~sascha/use-only-cookies.txt
>=20
>     Regards,
>     - Sascha