Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Sessions where are we going??
|
From: Donncha O C. <don...@tr...> - 2002-07-01 12:31:08
|
Great, thanks for clearing that up. There was a small bit of mixed=20 communication! The issue with php4 sessions and the URL is a serious one,= but=20 using cookies doesn't block it, it only makes it harder for an attacker t= o=20 take over a session. (They create a cookie file.. etc etc) This will be an issue for us so I'll look into it too. I remember your th= read=20 from a short while ago on the propogation issue.. Donncha. On Monday 01 July 2002 13:05, Giancarlo wrote: > Donncha O Caoimh wrote: > > Err.. we're all in favour of using PHP4 sessions to store phplib sess= ion > > data > > > aren't we? > > I am not so against PHP4 session storage, as I am against PHP4 session > propagation. > Unfortunately the two things go together, are bundled,, unless we resum= e, > for Max's session_custom class, the release_token, get_id methods etc t= hat > are into phplib. > That is the real weak point of PHP4 session: the propagation. > URL has precedence, user-provided ids make their way, there does not e= xist > a 'cookie_only' option (which is the choice thas gives the best guarant= ees > available) to block the former. > > How many people are aware that if they not set an expire for their auth= , it > is accessible for 24 H via a simple url? > How many use fallback_mode=3D'get' with no expire on auth? > What are the advantages of letting users create sessions with any value > they provide? > > |
