Re: Rp.: Re: Rp.: Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: Rp.: Re: Rp.: Re: [Phplib-users] Sessions where are we going??
|
From: nathan r. h. <na...@ds...> - 2002-07-02 18:49:36
|
On 2 Jul 2002, Giancarlo wrote: > > It is already damn difficult to have people accept the idea of using a > new session after auth, only once... And BTW, did you discover a way > to have PHP4 issue a new id when one already exists? This is the basis > for both the new changes I'd port to session4: block_alien_sid > creation and clone sess on authenticated (and I'd add a config to have > a cookie_or_noway mode 'only' after authentication) > Argh! This is not for phplib-7.x, this is development for phplib-8.0. If you'd like to help, please help fix the documented bug in the tracker so we can begin working on v8 and stop mucking about with 7.x! Sessions have *never* been secure! This is known fact and allways has been. There's no easy solution to fixing it either without a good bit of overhead. Use SSL, short timeouts and a high GC if you're truly paranoid about session duplications. I really fail to see the real threat of someone using their own session_id other than the fact that *if* someone were to get ahold of a session_id that was still valid that could be used against a user. Then again, that's why auth has it's *own* timer.. If someone were able to steal a cookie, they would need phyiscal access to one computer or at least unadluterated access to where that info is stored. Having either means than an attacker can do much more than steal a session -- session stealing is trivial. The session4 support in the 7.x tree right now is EXPERIMENTAL (as well as incomplete)! If you're using it on a production site without a full understanding of what *exactly* it's doing, you're makeing a foolish decision. It is there simply for people to test and *log bugs against* so it can be fixed and redesigned to replace the origianl php3 based session.inc in php-lib-stable as is. > As maybe you know, I don't have 'write access' to cvs anymore, I am > declaratedly lobbying. > Gian, it was your choice to resign. Please stop being a drama queen about it. If you want CVS write access back, please simply ask one of the project admins and we'll be happy to reinstate you. I frankly have utterly no idea why you decided to resign in the first place. -n ------ nathan hruby na...@ds... ------ |
