Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16058
Return-Path: <dan@cain.sh>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35271 invoked by uid 1010); 23 Apr 2005 04:46:47 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 35252 invoked from network); 23 Apr 2005 04:46:47 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 23 Apr 2005 04:46:47 -0000
X-Host-Fingerprint: 24.94.166.116 ms-smtp-04.rdc-kc.rr.com NetCache Data OnTap 5.x
Received: from ([24.94.166.116:43744] helo=ms-smtp-04.rdc-kc.rr.com)
	by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP
	id E6/25-22714-533D9624 for <internals@lists.php.net>; Sat, 23 Apr 2005 00:46:45 -0400
Received: from [192.168.0.3] (CPE-65-27-120-4.mn.res.rr.com [65.27.120.4])
	by ms-smtp-04.rdc-kc.rr.com (8.12.8p1/8.12.7) with ESMTP id j3N4X0Rq027907
	for <internals@lists.php.net>; Fri, 22 Apr 2005 23:33:03 -0500 (CDT)
Message-ID: <4269D32C.1080706@cain.sh>
Date: Fri, 22 Apr 2005 23:46:36 -0500
User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: internals@lists.php.net
References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net> <pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com>
In-Reply-To: <pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/
From: dan@cain.sh ("Daniel J Cain Jr.")

These changes in and of themselves will offer zero increased protection 
against session fixation/hijacking.  But they do prove useful when used 
together for building a custom session handler trying to prevent session 
fixation/hijacking.

Here's how the new functionality might be applied after discovering a 
session hijacking attempt.  My code uses a DB for storage so I have a 
user land $this->id_exists($id) in place already.

if(session_is_started()) {       // Instead of using isset($_SESSION)
     session_regenerate_id($this->newID);  // Added ability to set SID
     unset($_SESSION);
} else {
     session_id($this->newID);  // Existing ability to set SID
     session_start();
}

For helping prevent session fixation a built in session_id_exists($SID) 
would be useful as well.  That way, if the end user is so inclined they 
can prevent session fixation.  Those changes would be a little more in 
depth than the simpler ones I've put up so far.  Someone more 
experienced with writing extensions may want to tackle that one if they 
think it would be useful as well.  Otherwise I may get adventurous and 
tackle it as an exercise to learn more extension writing/modifying in 
the future.

I'm not trying to present a silver bullet solution, just hoping to 
provide enhanced functionality for those who seek it.

:)


-dan


Peter Brodersen wrote:

> But as long as stuff like
> print_r(glob("{.,/tmp}/*",GLOB_BRACE));
> .. are possible even in safe_mode/open_basedir-restrictions, these new
> functions will have pretty small effect unless one works his way
> entirely around the session functionality in the first place...
> 
> E.g.:
> http://basedir.ter.dk/globall.php
> 

-- 
D  a  n  i  e  l     J     C  a  i  n     J  r .
                          Zend Certified Engineer
http://zend.com/zce.php?c=ZEND001685&r=210869656