Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16096
Return-Path: <shiflett@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22193 invoked by uid 1010); 26 Apr 2005 16:59:07 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 22178 invoked from network); 26 Apr 2005 16:59:07 -0000
Received: from unknown (HELO php.net) (127.0.0.1)
  by localhost with SMTP; 26 Apr 2005 16:59:07 -0000
X-Host-Fingerprint: 64.151.81.46 www.brainbulb.com Linux 2.4/2.6
Received: from ([64.151.81.46:40491] helo=mail.brainbulb.com)
	by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP
	id B8/DA-59279-B537E624 for <internals@lists.php.net>; Tue, 26 Apr 2005 12:59:07 -0400
Received: from [10.0.1.6] (user-12lcfaf.cable.mindspring.com [69.86.61.79])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail.brainbulb.com (Postfix) with ESMTP id E1CCD3467A0;
	Tue, 26 Apr 2005 09:59:03 -0700 (PDT)
Message-ID: <426E7356.4020504@php.net>
Date: Tue, 26 Apr 2005 12:59:02 -0400
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Hans Lellelid <hans@velum.net>
Cc: Sascha Schumann <sascha@schumann.cx>,
	Thomas O'Neill <tommyo@gmail.com>, internals@lists.php.net
References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net>	<pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com> <4269D32C.1080706@cain.sh>	<d0cb926205042518356213b551@mail.gmail.com> <Pine.LNX.4.61.0504260952410.29267@chatserv> <426E6F87.5020908@velum.net>
In-Reply-To: <426E6F87.5020908@velum.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/
From: shiflett@php.net (Chris Shiflett)

Hans Lellelid wrote:
> I haven't looked in any detail at these functions, but wouldn't you be
> able to prevent fixation by inquiring whether a particular session was
> already started? -- rather than PHP's current (IMHO flawed) behavior
> where a new session is simply started with whatever session is is passed
> in.

It would raise the bar, but that's about it.

An attacker visits your site (to initiate the session), determines the 
assigned session identifier, and then uses that session identifier 
(which now references an initiated session) for the session fixation attack.

Chris