Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Sessions where are we going??
|
From: Giancarlo <gia...@na...> - 2002-06-29 16:06:32
|
Il 17:39, sabato 29 giugno 2002, Matt Williams ha scritto: > As we are now well into PHP 4 would it not be better to put the full weight > of php4 session capabilitiess into phplib? IMHO PHP4 session is a scam. There is some unknown reason why it has been impossible, for almost two years now, to block creation of user-provided sids, and most graviuos, to have any setting that provides a cookie-only session mamagement. Add to that the fact that sessions among virtualhost are not differentiated, not even by the session_name. So if it happens that another virtualhost runs the same app, it will be able to open another's vhost sessions, if he knows the id, maybe because he succeeded to inject it to someone. And everything will go into HIS logs. Whith the result that PHP4 session is fully spoofable and it does not exist, and in fact it cannot exist, a php4 session implementation that wouldn't give full priority to any user-defined session passed via URL. Because of the potentially very malicious combination of the surmentioned elements, until they improve that, I don't trust php4 session anymore, except of course if you use a custom_handler for the session too. Then you are back to phplib Gian > > Max has done a very good job of implementing custom sessions with the > session4 class, but why are these still in the unstable tree and haven't > been touched for months? > > Would it not be better for the future of phplib to embrace the tools that > php4 has given us to work with sessions in our applications? > > Are there plans to move forward with the lib to implement fully php4 > sessions especially with register_globals off, given the security > implications of having this on. > > I don't really contribute to CVS but I am working through trying to get > phplib going with php4.0.6 with php4 sessions and register_globals off, > when I get somewhere where I feel I can move on it I will post to the list. > Unless of course this has already been done, in which case I would really > like to hear from you :) > > I think the fact that the current distro still aims itself at php3 would be > a major turn off to any new users/contributors. > > just my 2p > > Matt > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > No, I will not fix your computer. > http://thinkgeek.com/sf > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users |
