Rp.: Re[2]: [Phplib-users] Doc suggestions
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Rp.: Re[2]: [Phplib-users] Doc suggestions
|
From: Giancarlo <gia...@na...> - 2002-07-10 16:05:15
|
Maxim Derkachev <max...@bo...> a écrit le 10/7/02 11:32: >looked into CVS and found a >record: >session.c >1.214 by hholzgra >suppress sending of cookies >if session id already came >from a non-cookie source >Commited about a year ago. > >It had not used to be like this >before. Bad guys .... No, I think that's different, and is about about a later moment than the supposed 'first request'. Phplib has always acted like that, and php4 session have inherited the same behaviour. A sid in url can impose both the 'get' mode (to any cookie-enabled browser) and the user-provided session_id. Always if the browser hadn't a cookie yet from that site. I mean, do you realize how hard to have anyone realize that? > >G> if the site does not use >cookie-only, hope there's >some expire set. >expire should (if not must) >always be set. In cookie-only >or not, >irrelevant. > >>>G> -what about issue a >new >>>session and move to it >after >>>authenticating? >>>But what for? You'll get >the >>>new socks with the same >old >>>holes :) > >G> not exactly. These new >sock's holes are displaced >elsewhere, and by wearing >G> these socks over the >previous, you end up without >holes ;-) > >Good shot :) > >G> when the session starts, >you know its mode. >G> Do not allow mode >change. Stick to the initial >mode. >G> A client should not >disable/enable cookies along >the way. >G> A mode change is >equivalent to a client >change, thus new session. >G> So the >downgrade-tranfer is >blocked, and actual >promiscuity can happen only >G> among cookie-disabled >clients. > >Well, maybe. In any case, I >do believe that any >session-related stuff >in PHP should depend on >builtin PHP session module. I am afraid it will never be as an ad-hoc tool. I consider it as those gifts in the washing powder. Could we have speed by using plain files too? >The reason is >obvious - speed. All the issues >should be addressed to the >PHP CVS >guys, so the module could be >fixed and extended. I am already 'burnt' as an ambassador chez Schasha, but we need someone with some clear ideas. KK would be perfect. Phplib has already been a 'lab' for PHP4 session before >Cookie-only plug does >not resolve all the troubles. > nothing will do. Gian |
