Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16097 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26280 invoked by uid 1010); 26 Apr 2005 17:03:11 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 26255 invoked from network); 26 Apr 2005 17:03:11 -0000 Received: from unknown (HELO php.net) (127.0.0.1) by localhost with SMTP; 26 Apr 2005 17:03:11 -0000 X-Host-Fingerprint: 81.169.145.165 natsmtp00.rzone.de Solaris 8 (1) Received: from ([81.169.145.165:63280] helo=natsmtp00.rzone.de) by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP id 81/1B-59279-C447E624 for ; Tue, 26 Apr 2005 13:03:09 -0400 Received: from [192.168.1.77] (p50876811.dip.t-dialin.net [80.135.104.17]) by post.webmailer.de (8.13.1/8.13.1) with ESMTP id j3QH2tsn012450; Tue, 26 Apr 2005 19:02:56 +0200 (MEST) Message-ID: <426E7441.5010101@php.net> Date: Tue, 26 Apr 2005 19:02:57 +0200 User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hans Lellelid CC: "Thomas O'Neill" , internals@lists.php.net References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net> <4269D32C.1080706@cain.sh> <426E6F87.5020908@velum.net> In-Reply-To: <426E6F87.5020908@velum.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/ From: sesser@php.net (Stefan Esser) Hi, > I haven't looked in any detail at these functions, but wouldn't you be > able to prevent fixation by inquiring whether a particular session was > already started? -- rather than PHP's current (IMHO flawed) behavior > where a new session is simply started with whatever session is is passed > in. beeing able to detect if a session was already started has nothing todo with session fixation attacks. Session fixation means that you supply the user with a session id you know about. It doesn't make any difference if this session id was obtained by visiting the target site once, or by simply putting in a random one (that is then accepted by PHP). (And any argument that one obtained by visiting the site would be bound to the attackers creds is invalid, because the same technique would catch new invalid sessions (because of no assigned creds)) And the behaviour of PHP is not flawed. For several systems it is vital, that the outside is able to set the session id. There is no reason to change that behaviour, because it doesn't stop any attack. Yours, Stefan Esser -- -------------------------------------------------------------------------- Stefan Esser sesser@php.net Hardened-PHP Project http://www.hardened-php.net/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 --------------------------------------------------------------------------