RE: [Phplib-users] new Session4 changes
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] new Session4 changes
|
From: Rob H. <rob...@ws...> - 2002-11-27 13:53:35
|
Guys, You cannot use the remote IP reliably to determine that the session applies to a certain IP. There are MANY ISPs that are chaching pages at this point and there will be more as time goes on. A person hitting a chaching farm may come from one of several IPs. I can't say which one for contractual reasons, but one of the non-bankrupt remaining ISP/Long Distance companies is about to start forcing all of there home http traffic through a caching farm. Rob Hutton Web Safe www.wsafe.com ********************************************************************** Introducing Symantec Client Security - Integrated Anti-Virus, Firewall, and Intrusion Detection for the Client. Learn more: http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > -----Original Message----- > From: php...@li... > [mailto:php...@li...]On Behalf Of Giancarlo > Sent: Tuesday, November 26, 2002 4:22 PM > To: Maxim Derkachev > Cc: php...@li... > Subject: Re: [Phplib-users] new Session4 changes > > > > > Maxim Derkachev wrote: > > >First, incorporated all the changes from php-lib-stable version. > >Second, changed some strings there, performance-wise - trashed repeated > >ini_get('register_globals') calls (moved the single one to the > >constructor) and cleaned up some hacks with 'global' & eval > > > In the one just downloaded the class is missing > > var $register_globals > > And I still cannot incremet the counter. It seems as the $__session_ip > field is not made persisntent in function register; > I am tryng this with php 4.0.6 > in start meth, I saw that setting > $GLOBALS[$session_ip] = remoteaddr > does not work > changing so does set the global though > > <end of method start> > > if($this->forgery_check_enabled && $this->session_ip) { > // save current IP > $$this->session_ip= $HTTP_SERVER_VARS['REMOTE_ADDR']; > if(!$this->is_registered($this->session_ip)) { > $this->register($this->session_ip); > echo "THIS SESS_IP:".$$this->session_ip."<br>"; > echo "SESS_IP:".$_SESSION[$this->session_ip]."<br>"; > echo "GLOB SESS_IP:".$$this->session_ip."<br>"; > > ..... > > But still does not work: I see that is saving a new, different > sess_file each reload, empty, but no cookie is left after the first > > Maybe my 4.06 is too old, but I am runnning apache2 as an devel > alternative, and couldn't compile php there ;-) > > Gian > > >Third, and most significant. Added a workaround for the vulnerability, > >addressed by Giancarlo several times. Please, look at this and test it > >properly - with coookies and without, reg-globals on/off. It should > >solve the session hijacking problem. See comments for details. > >Look forward for your feedback urgently. > >NOTE - it's in the php-lib repository, not php-lib-stable. > >Bye for now. > > > > > > > > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Get the new Palm Tungsten T > handheld. Power & Color in a compact size! > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > > |
