Re[2]: [Phplib-users] Doc suggestions
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re[2]: [Phplib-users] Doc suggestions
|
From: Maxim D. <max...@bo...> - 2002-07-10 07:33:10
|
Hello Giancarlo, Tuesday, July 09, 2002, 8:42:52 PM, you wrote: >>Security downgraded only >>for those who don't accept >>cookies and take the risk of >>session being hijacked if urls G> but that is not true! G> Any cookie-enabled client (that hasn't received a cookie already) is forced to 'get' G> mode by the simple presence of a SID in the URL. Haven't got it until now. Just looked into CVS and found a record: session.c 1.214 by hholzgra suppress sending of cookies if session id already came from a non-cookie source Commited about a year ago. It had not used to be like this before. Bad guys .... G> if the site does not use cookie-only, hope there's some expire set. expire should (if not must) always be set. In cookie-only or not, irrelevant. >>G> -what about issue a new >>session and move to it after >>authenticating? >>But what for? You'll get the >>new socks with the same old >>holes :) G> not exactly. These new sock's holes are displaced elsewhere, and by wearing G> these socks over the previous, you end up without holes ;-) Good shot :) G> when the session starts, you know its mode. G> Do not allow mode change. Stick to the initial mode. G> A client should not disable/enable cookies along the way. G> A mode change is equivalent to a client change, thus new session. G> So the downgrade-tranfer is blocked, and actual promiscuity can happen only G> among cookie-disabled clients. Well, maybe. In any case, I do believe that any session-related stuff in PHP should depend on builtin PHP session module. The reason is obvious - speed. All the issues should be addressed to the PHP CVS guys, so the module could be fixed and extended. Cookie-only plug does not resolve all the troubles. -- Best regards, Maxim Derkachev mailto:max...@bo... IT manager, Symbol-Plus Publishing Ltd. phone: +7 (812) 324-53-53 www.books.ru, www.symbol.ru |
