Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Giancarlo <gia...@na...> - 2002-12-04 18:33:44
|
Giancarlo wrote: > Excuse me, but if I propose you to click on a link as > https://phplib.sourceforge.net/showoff.php3?PHPSESSID=1 ^^^^^^^ Notice that is using SSl. So the idea to mark the session somehow, to prevent opening starting user-chosen, unexistent id, is good. The ide of the IP i'd let implement to those who want. Now, even if we accept only id created by us, one can have php(4/lib) create it, and offer that in the URL. It will work only once though, which is better yet. BUT, if when we crete the session, we remember the 'mode' at that moment (get/cookie), then this will be possible only when both A and B have cookies disabled. Which restricts further and further, because the traansmission, in that standard illiterate exploit, must pass through GET in any case. I know the solution is sheating the hull. I question how much this is a valid reason for not plugging the holes anyway. G |
