Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16099
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61246 invoked by uid 1010); 26 Apr 2005 17:27:51 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 61106 invoked from network); 26 Apr 2005 17:27:46 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 26 Apr 2005 17:27:46 -0000
X-Host-Fingerprint: 81.169.145.165 natsmtp00.rzone.de Solaris 8 (1)
Received: from ([81.169.145.165:56872] helo=natsmtp00.rzone.de)
	by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP
	id A9/5D-59279-DF97E624 for <internals@lists.php.net>; Tue, 26 Apr 2005 13:27:30 -0400
Received: from [192.168.1.77] (p50876811.dip.t-dialin.net [80.135.104.17])
	by post.webmailer.de (8.13.1/8.13.1) with ESMTP id j3QHQr0g011351;
	Tue, 26 Apr 2005 19:26:54 +0200 (MEST)
Message-ID: <426E79DF.2080900@php.net>
Date: Tue, 26 Apr 2005 19:26:55 +0200
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Hans Lellelid <hans@velum.net>
CC: "Thomas O'Neill" <tommyo@gmail.com>, internals@lists.php.net
References: <4266894D.1070702@cain.sh> <42668AC0.1010607@caedmon.net>	<pkhi61di24djruht2uhqhjfppn6bt6dsme@4ax.com> <4269D32C.1080706@cain.sh>	<d0cb926205042518356213b551@mail.gmail.com> <Pine.LNX.4.61.0504260952410.29267@chatserv> <426E6F87.5020908@velum.net> <426E7441.5010101@php.net> <426E7798.4020208@velum.net>
In-Reply-To: <426E7798.4020208@velum.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PATCH] Modifications for ext/session/
From: sesser@php.net (Stefan Esser)

Hi,

> Sorry, perhaps this is just a vocabulary misunderstanding on my part.  I 
> thought "fixation" was explicitly providing the user with a fake but 
> known session id (e.g. '1'), whereas "hijacking" is taking a valid id 
> from another user.

yeah... Well you call it fake session id. But that is not exactly what 
session fixation means. It means you give the user a session ID he will 
ride with (and do not steal it from him).

But it makes no difference if you give him a completely fake one or if 
you visit the site once yourself and then use the session ID you got for 
the fixation.

Stefan