Re: [Phplib-users] new Session4 changes
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] new Session4 changes
|
From: Giancarlo <gia...@na...> - 2002-11-26 21:22:42
|
Maxim Derkachev wrote:
>First, incorporated all the changes from php-lib-stable version.
>Second, changed some strings there, performance-wise - trashed repeated
>ini_get('register_globals') calls (moved the single one to the
>constructor) and cleaned up some hacks with 'global' & eval
>
In the one just downloaded the class is missing
var $register_globals
And I still cannot incremet the counter. It seems as the $__session_ip
field is not made persisntent in function register;
I am tryng this with php 4.0.6
in start meth, I saw that setting
$GLOBALS[$session_ip] = remoteaddr
does not work
changing so does set the global though
<end of method start>
if($this->forgery_check_enabled && $this->session_ip) {
// save current IP
$$this->session_ip= $HTTP_SERVER_VARS['REMOTE_ADDR'];
if(!$this->is_registered($this->session_ip)) {
$this->register($this->session_ip);
echo "THIS SESS_IP:".$$this->session_ip."<br>";
echo "SESS_IP:".$_SESSION[$this->session_ip]."<br>";
echo "GLOB SESS_IP:".$$this->session_ip."<br>";
.....
But still does not work: I see that is saving a new, different sess_file each reload, empty, but no cookie is left after the first
Maybe my 4.06 is too old, but I am runnning apache2 as an devel alternative, and couldn't compile php there ;-)
Gian
>Third, and most significant. Added a workaround for the vulnerability,
>addressed by Giancarlo several times. Please, look at this and test it
>properly - with coookies and without, reg-globals on/off. It should
>solve the session hijacking problem. See comments for details.
>Look forward for your feedback urgently.
>NOTE - it's in the php-lib repository, not php-lib-stable.
>Bye for now.
>
>
>
>
|
