Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:15704 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74036 invoked by uid 1010); 31 Mar 2005 17:42:33 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 74017 invoked from network); 31 Mar 2005 17:42:33 -0000 Received: from unknown (HELO fabled.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2005 17:42:33 -0000 X-Host-Fingerprint: 69.17.117.26 mail24.sea5.speakeasy.net Linux 2.5 (sometimes 2.4) (4) Received: from ([69.17.117.26:46448] helo=mail24.sea5.speakeasy.net) by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP id C1/10-22409-8863C424 for ; Thu, 31 Mar 2005 12:42:33 -0500 Received: (qmail 16921 invoked from network); 31 Mar 2005 17:42:30 -0000 Received: from out.appliedsec.com (HELO [127.0.0.1]) (hlellelid@[69.17.56.162]) (envelope-sender ) by mail24.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 31 Mar 2005 17:42:29 -0000 Message-ID: <424C3606.7090303@velum.net> Date: Thu, 31 Mar 2005 12:40:22 -0500 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chris Shiflett CC: "M. Sokolewicz" , internals@lists.php.net References: <424994B1.3000600@velum.net> <90e24d4e0503291116a5bde6a@mail.gmail.com> <4249ADAC.8000900@velum.net> <20050329193848.64327.qmail@lists.php.net> <424C2FB2.2070808@php.net> In-Reply-To: <424C2FB2.2070808@php.net> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] why does PHP accept [new] session ids from client? From: hans@velum.net (Hans Lellelid) Hi Chris, Chris Shiflett wrote: > M. Sokolewicz wrote: > >> "why is it this way" should also be posted to the general newsgroup, it >> barely has anything to do with internals > > > The behavior of the session extension has everything to do with > internals. I'm not sure why everyone is sending him to php-general. No > one there is going to be able to change this behavior. They can only > suggest userland code to try to work around it. > > The problem is that PHP uses any user-supplied session identifier when > creating a new session. This increases the risk of session fixation. > > If this behavior were changed, it would not completely protect > developers from session fixation, but it would be a step in the right > direction. I think the original poster was making this suggestion. > Thanks, Chris. Yes, that's what I was suggesting. I think I may be partly at fault for framing it as a question. I knew quite well that there was no way to change this behavior for PHP, but wanted to know if there was perhaps some good reason for why this behavior existed. I know for my apps how to mitigate the threat of fixation (I think thanks to an article you wrote), but how many other people know this or make a habit of doing this (i.e. session id regeneration)? -Hans