Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16098
Return-Path: <hans@velum.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43135 invoked by uid 1010); 26 Apr 2005 17:17:19 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 43119 invoked from network); 26 Apr 2005 17:17:19 -0000
Received: from unknown (HELO velum.net) (127.0.0.1)
  by localhost with SMTP; 26 Apr 2005 17:17:19 -0000
X-Host-Fingerprint: 69.17.117.23 mail21.sea5.speakeasy.net Linux 2.5 (sometimes 2.4) (4)
Received: from ([69.17.117.23:43222] helo=mail21.sea5.speakeasy.net)
	by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP
	id E7/FB-59279-E977E624 for <internals@lists.php.net>; Tue, 26 Apr 2005 13:17:18 -0400
Received: (qmail 17711 invoked from network); 26 Apr 2005 17:17:14 -0000
Received: from out.appliedsec.com (HELO [127.0.0.1]) (hlellelid@[69.17.56.162])
	(envelope-sender <hans@velum.net>)
	by mail21.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP
	for <sesser@php.net>; 26 Apr 2005 17:17:13 -0000
Message-ID: <426E7798.4020208@velum.net>
Date: Tue, 26 Apr 2005 13:17:12 -0400
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Stefan Esser <sesser@php.net>
CC: Thomas O'Neill <tommyo@gmail.com>,  internals@lists.php.net
References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net>	<pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com> <4269D32C.1080706@cain.sh>	<d0cb926205042518356213b551@mail.gmail.com> <Pine.LNX.4.61.0504260952410.29267@chatserv> <426E6F87.5020908@velum.net> <426E7441.5010101@php.net>
In-Reply-To: <426E7441.5010101@php.net>
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/
From: hans@velum.net (Hans Lellelid)

Stefan Esser wrote:
> Hi,
> 
>> I haven't looked in any detail at these functions, but wouldn't you be 
>> able to prevent fixation by inquiring whether a particular session was 
>> already started? -- rather than PHP's current (IMHO flawed) behavior 
>> where a new session is simply started with whatever session is is 
>> passed in.
> 
> 
> beeing able to detect if a session was already started has nothing todo 
> with session fixation attacks.
> 
> Session fixation means that you supply the user with a session id you 
> know about. It doesn't make any difference if this session id was 
> obtained by visiting the target site once, or by simply putting in a 
> random one (that is then accepted by PHP).

Sorry, perhaps this is just a vocabulary misunderstanding on my part.  I 
thought "fixation" was explicitly providing the user with a fake but 
known session id (e.g. '1'), whereas "hijacking" is taking a valid id 
from another user.

> And the behaviour of PHP is not flawed. For several systems it is vital, 
> that the outside is able to set the session id. There is no reason to 
> change that behaviour, because it doesn't stop any attack.

Seems to me that it would.  If I can use XSS to get a user to click a 
link with PHPSESSID=1 in it, I know their session id and I don't have to 
concern myself with examining traffic, logs, or cookies.  Am I wrong?

-Hans