Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16083
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references;
	b=IdSdZ5yIJczzOyH3EoR+RbMVByQ+60rqacN1i7OPU6RhTryEuqNJaHN1bvXQ5Ks9IsGYPrZjGSsrOCn21pWpx4vfE2SxDhJeYgXmuyQLeusvxZd4e7ge64fZFJbQvf456UfDjMd6rx2lgILLleXtvqiU3G9hoC+JqNCXTtxBkmk=
Message-ID: <d0cb926205042518356213b551@mail.gmail.com>
Date: Mon, 25 Apr 2005 20:35:22 -0500
Reply-To: Thomas O'Neill <tommyo@gmail.com>
To: internals@lists.php.net
In-Reply-To: <4269D32C.1080706@cain.sh>
Mime-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_8526_23730628.1114479322635"
References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net>
	<pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com>
	<4269D32C.1080706@cain.sh>
Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/
From: tommyo@gmail.com (Thomas O'Neill)

------=_Part_8526_23730628.1114479322635
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I think that these functions could be helpful. Is there any reason we=20
shouldn't have this kind of functionality?=20

What do others think of these changes?

-Tom=20



On 4/22/05, Daniel J Cain Jr. <dan@cain.sh> wrote:
>=20
> These changes in and of themselves will offer zero increased protection
> against session fixation/hijacking. But they do prove useful when used
> together for building a custom session handler trying to prevent session
> fixation/hijacking.
>=20
> Here's how the new functionality might be applied after discovering a
> session hijacking attempt. My code uses a DB for storage so I have a
> user land $this->id_exists($id) in place already.
>=20
> if(session_is_started()) { // Instead of using isset($_SESSION)
> session_regenerate_id($this->newID); // Added ability to set SID
> unset($_SESSION);
> } else {
> session_id($this->newID); // Existing ability to set SID
> session_start();
> }
>=20
> For helping prevent session fixation a built in session_id_exists($SID)
> would be useful as well. That way, if the end user is so inclined they
> can prevent session fixation. Those changes would be a little more in
> depth than the simpler ones I've put up so far. Someone more
> experienced with writing extensions may want to tackle that one if they
> think it would be useful as well. Otherwise I may get adventurous and
> tackle it as an exercise to learn more extension writing/modifying in
> the future.
>=20
> I'm not trying to present a silver bullet solution, just hoping to
> provide enhanced functionality for those who seek it.
>=20
> :)
>=20
> -dan
>=20
>=20
> Peter Brodersen wrote:
>=20
> > But as long as stuff like
> > print_r(glob("{.,/tmp}/*",GLOB_BRACE));
> > .. are possible even in safe_mode/open_basedir-restrictions, these new
> > functions will have pretty small effect unless one works his way
> > entirely around the session functionality in the first place...
> >
> > E.g.:
> > http://basedir.ter.dk/globall.php
> >
>=20
> --
> D a n i e l J C a i n J r .
> Zend Certified Engineer
> http://zend.com/zce.php?c=3DZEND001685&r=3D210869656
>=20
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20
>=20


--=20
Tom O'Neill
tommyo@gmail.com

------=_Part_8526_23730628.1114479322635--