Hello Gian,
to prevent the user providing a new session id to phplib in URL while using session cookies of php4 I
included the following code to function start() of class session (in session4.inc as of v 1.14 2001/08/29
07:26:44 richardarcher) before the statement
$ok = session_start();
----- additional code begin ----
# was a value for name provided in URL?
if(isset($_GET[$this->name])) {
$lokid = $_GET[$this->name];
# does a session with this name exist?
if(!file_exists(session_save_path().'/sess_'.$lokid)) {
# no - user wants to give us a certain session id! forbid it:
unset($_GET[$this->name]);
}
}
---- additional code end ----
After that the following session_start() will produce a new session with a new id.
Is this something you are interested in? The code might be extendable to cover similar attacks by using
cookies. Also your problem stated below doesn't occur any more.
Of course it is impossible (this way) to discover if the user is authorized to provide an existing session id.
Hope this is helpful
Peter Kursawe
On 29 Jun 2002 at 18:23, Giancarlo wrote:
From: Giancarlo <gia...@na...>
To: php...@li...
Subject: [Phplib-users] AND any client with cookies enabled is driven into 'get' mode
Date sent: Sat, 29 Jun 2002 18:23:49 +0200
> I forgot.
> Precedence to the URL is given EVEN IF CLIENT HAS COOKEIS ENABLED, provided
> he has not already received a cookie from that domain (=first_start)
>
>
>
> ---------- Messaggio inoltrato ----------
>
> Subject: real meaning of session.use_cookie and fallback_mode=get
> Date: Sat, 29 Jun 2002 18:19:33 +0200
> From: Giancarlo <gia...@na...>
> To: php...@li...
>
> The real meaning of these two parallel setting, one of PHP4 php.ini and the
> other of phplib, is:
>
> If no cookie has been left yet (=start_with), use cookies ONLY if there's no
> user-provided sid in the URL ! Give precedence to URL! And create the id the
> user tells you to create via the URL!
> I dunno if it's clear...
>
>
> Gian
>
> -------------------------------------------------------
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> No, I will not fix your computer.
> http://thinkgeek.com/sf
> _______________________________________________
> Phplib-users mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phplib-users
|
