Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16085
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Tue, 26 Apr 2005 10:02:57 +0200 (CEST)
To: Thomas O'Neill <tommyo@gmail.com>
cc: internals@lists.php.net
In-Reply-To: <d0cb926205042518356213b551@mail.gmail.com>
Message-ID: <Pine.LNX.4.61.0504260952410.29267@chatserv>
References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net>
	<pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com> <4269D32C.1080706@cain.sh>
	<d0cb926205042518356213b551@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/
From: sascha@schumann.cx (Sascha Schumann)

     They are not helpful for various reasons.  e.g. if you need
     to ask whether a session was started, your architecture is
     broken (a central place needs to manage sessions; that single
     place must know whether a session has been started).

     Also, the concept of session_id_exists is fundamentally
     broken (think of atomic file creation).  That is why there is
     no such function.

     Regarding providing an id to session_regenerate_id: I have
     seen too many supposedly save session id generators that I
     would be in favor of adding that kind of overwriting power.

     - Sascha

On Mon, 25 Apr 2005, Thomas O'Neill wrote:

> I think that these functions could be helpful. Is there any reason we
> shouldn't have this kind of functionality?
>
> What do others think of these changes?
>
> -Tom
>
>
>
> On 4/22/05, Daniel J Cain Jr. <dan@cain.sh> wrote:
>>
>> These changes in and of themselves will offer zero increased protection
>> against session fixation/hijacking. But they do prove useful when used
>> together for building a custom session handler trying to prevent session
>> fixation/hijacking.
>>
>> Here's how the new functionality might be applied after discovering a
>> session hijacking attempt. My code uses a DB for storage so I have a
>> user land $this->id_exists($id) in place already.
>>
>> if(session_is_started()) { // Instead of using isset($_SESSION)
>> session_regenerate_id($this->newID); // Added ability to set SID
>> unset($_SESSION);
>> } else {
>> session_id($this->newID); // Existing ability to set SID
>> session_start();
>> }
>>
>> For helping prevent session fixation a built in session_id_exists($SID)
>> would be useful as well. That way, if the end user is so inclined they
>> can prevent session fixation. Those changes would be a little more in
>> depth than the simpler ones I've put up so far. Someone more
>> experienced with writing extensions may want to tackle that one if they
>> think it would be useful as well. Otherwise I may get adventurous and
>> tackle it as an exercise to learn more extension writing/modifying in
>> the future.
>>
>> I'm not trying to present a silver bullet solution, just hoping to
>> provide enhanced functionality for those who seek it.
>>
>> :)
>>
>> -dan
>>
>>
>> Peter Brodersen wrote:
>>
>>> But as long as stuff like
>>> print_r(glob("{.,/tmp}/*",GLOB_BRACE));
>>> .. are possible even in safe_mode/open_basedir-restrictions, these new
>>> functions will have pretty small effect unless one works his way
>>> entirely around the session functionality in the first place...
>>>
>>> E.g.:
>>> http://basedir.ter.dk/globall.php
>>>
>>
>> --
>> D a n i e l J C a i n J r .
>> Zend Certified Engineer
>> http://zend.com/zce.php?c=ZEND001685&r=210869656
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
> -- 
> Tom O'Neill
> tommyo@gmail.com
>