Re: [Phplib-users] Re: latest snapshot
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Re: latest snapshot
|
From: Giancarlo <gia...@na...> - 2002-11-07 08:16:57
|
> What about incrementing a separate random that gets changed in pageopen.
> Call it sesscheck
>
> start session
> if ($_COOKIE['sesscheck'] != $_SESSION['sesscheck'] {
> //bomb out because we are being hijacked.
> }
> $sesscheck = md5(uniqid(rand(),1));
> set_cookie($sesscheck)
> $sess->register('sesscheck');
If we could know the moment whenn our session is a fresh new one, we could
save the mode (get/cookie), and block that client from changing his mode
along the way. Every passage/steal of cookie/GET supposes changing its mode
along the way.
If we trust cookies is because they are not allowed be passed. If a client
chances propagation we can be almost sure that the client itself has changed,
or it means that someone has enabled/disabled his cookies midway, which
should equate a change in client.
We should be able to decide where and when accept these alien sids. In some
cases they are useful though, but allowing them anywhere is not safe.
Gian
|
