Rp.: Re[2]: [Phplib-users] Doc suggestions

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

 Maxim Derkachev <max...@bo...> a écrit le  10/7/02 11:32:

>looked into CVS and found a 
>record:
>session.c
>1.214 by hholzgra
>suppress sending of cookies 
>if session id already came
>from a non-cookie source
>Commited about a year ago.
>
>It had not used to be like this 
>before. Bad guys ....

No, I think that's different, and is about about a later moment than the supposed 'first request'.
Phplib has always acted like that, and php4 session have inherited the same behaviour. A sid in url  can impose both the 'get' mode (to any cookie-enabled browser) and the user-provided session_id. Always  if the browser hadn't  a cookie yet from that site.

I mean, do you realize how hard to have anyone realize that?
>
>G> if  the site does not use 
>cookie-only, hope there's 
>some expire  set.
>expire should (if not must) 
>always be set. In cookie-only 
>or not,
>irrelevant.
>
>>>G> -what about issue a 
>new
>>>session and move to it 
>after 
>>>authenticating?
>>>But what for? You'll get 
>the 
>>>new socks with the same 
>old 
>>>holes :) 
>
>G> not exactly. These new 
>sock's holes are displaced 
>elsewhere, and by wearing
>G> these socks over the 
>previous, you end up without 
>holes ;-)
>
>Good shot :)
>
>G> when the session starts, 
>you know its mode.  
>G> Do not allow mode 
>change. Stick to the initial 
>mode.
>G> A client should not 
>disable/enable  cookies along 
>the way.
>G> A mode change is 
>equivalent to a  client 
>change, thus new session. 
>G> So the 
>downgrade-tranfer is 
>blocked, and actual 
>promiscuity can happen only
>G> among cookie-disabled 
>clients.
>
>Well, maybe. In any case, I 
>do believe that any 
>session-related stuff
>in PHP should depend on 
>builtin PHP session module. 

I am afraid it will never be as an ad-hoc tool. I consider it as those gifts in the washing powder.
Could we have speed by using plain files too?

>The reason is
>obvious - speed. All the issues 
>should be addressed to the 
>PHP CVS
>guys, so the module could be 
>fixed and extended. 

I am already 'burnt' as an ambassador chez Schasha, but we need someone with some clear ideas. KK would be perfect. 
Phplib has already been a 'lab' for PHP4 session before

>Cookie-only plug does
>not resolve all the troubles.
>

nothing will do.

Gian