Re: [Phplib-users] new Session4 changes
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] new Session4 changes
|
From: Giancarlo <gia...@na...> - 2002-12-02 11:13:52
|
Currently the logic in the session module (php3) was:
if there is no cookie, see if there is a GET sid
if there is a get sid, accept that anycase
if tgere's not a GET sid, append a GET sid, leave a cookie as well,
redirect to Self (with sid appended). On reentering, it is back
to start
The logic I applied to somehow block the aliens was:
if there is no cookie see if there'a a GET sid
if there's a GET sid, see if that exists
if that no exists, create&freeze a new session, leave the new
cookie, append sid to GET, redirect to there
if there's no GET sid, ceate&freeze a new sess, append sid to GET and
leave a cookie, and redirect to there
if there's cookie, see if it exists, if not: recookie, redirect to self
It supposes that in any moment, header problems apart, you can create a
new session, and then start it. This is what actually is missed in php4
session. We could keep this pieces of code, because the php4 session
module is afterall an 'optional' module. And phplib's code is known to
work for years, and gives a better control, so I'dnt throw it away so
mindlessly.
Maxim Derkachev wrote:
> Hello Rob,
>
> Saturday, November 30, 2002, 1:07:46 AM, you wrote:
> RH> Currently, if cookies are not set, then you just append the session id to
> RH> the get string.
>
> Well, I know that. But it does not resolve the session hijack issue.
>
>
>
|
