Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:56503
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14849 invoked from network); 23 Nov 2011 14:04:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Nov 2011 14:04:39 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:55537] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1B/52-31179-67DFCCE4 for <internals@lists.php.net>; Wed, 23 Nov 2011 09:04:39 -0500
Received: by ggnk1 with SMTP id k1so1582210ggn.29
        for <internals@lists.php.net>; Wed, 23 Nov 2011 06:04:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=67zao1IZcVj+i3mbqw3zd7dbLV/Pd8YK0Gh1Q7m/dFc=;
        b=FlMN4OkBo3pEOTnMp0WYDPm1BnrG5gMg6Gu/pQ/1kkCS+vpWiNijfzohxq9MjOLDg9
         16scxY7v6qmxrtvd+nmInjR9ncvtfLSwChrjxMJnb4vv9ryMHlgLBu5gVbbuw8b+p8St
         Kf9enQKaYc10Em2rFyfgkNjeiYmbAaXIv/JXA=
Received: by 10.236.180.200 with SMTP id j48mr34389399yhm.26.1322057076466;
 Wed, 23 Nov 2011 06:04:36 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.100.127.18 with HTTP; Wed, 23 Nov 2011 06:03:55 -0800 (PST)
In-Reply-To: <CAGa2bXbB5_oCvC2R40nBj0V207c2PUEuF6K9oCEfUoC-02j7mg@mail.gmail.com>
References: <CAGa2bXYDbDnTi1aF4Ts9oShyy=2NKPaTc34_+Hg7ZN0v+_MGSQ@mail.gmail.com>
 <4EBDC283.3040700@yahoo.co.jp> <CAGa2bXaMKzQCO=6k4WrB2W3Mp6R8R7oJz7LQBnv_4UKCk0_VxQ@mail.gmail.com>
 <4ECC30C7.9060201@oracle.com> <CAH-PCH5V6VArOQ=bLcK=utUcD19yuG9HnizGBr6UGCYf+RAcmA@mail.gmail.com>
 <CAGa2bXbuMx2bEVaBsHL6g4zNej6bDz1xC4Nv+2vDBFXUn_rGtw@mail.gmail.com>
 <CAH-PCH51Kc6TibBrnFeEr8gdFHgo-6HhoB+8X+ZCBRdLEJ39Hg@mail.gmail.com>
 <CADNQb0XBRQihjF_tErCwk28cGpnV=DTTMN2ry9+_9GY9iPM90w@mail.gmail.com> <CAGa2bXbB5_oCvC2R40nBj0V207c2PUEuF6K9oCEfUoC-02j7mg@mail.gmail.com>
Date: Wed, 23 Nov 2011 23:03:55 +0900
X-Google-Sender-Auth: 0HoTVk296neyNwmyECysKZvpNFw
Message-ID: <CAGa2bXYaohsimzCgdCsLSPoVdfsQonuxkhaf9_CHzLxOAP+YJA@mail.gmail.com>
To: Hannes Magnusson <bjori@php.net>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, Christopher Jones <christopher.jones@oracle.com>, 
	internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Strict session?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stats,

Thanks to Perrie, I realized I should try to this patch to be accepted
for 5.4 branch.

As you may already knew, session adoption is "real" threat for PHP
applications. Therefore, this patch should be in 5.4.0 for better
security.

In case of you've missed why session adoption is real threat for PHP
applications, please try to set the same cookies to various path and
domains. Then check and compare the result with IE and Chrome/Firefox.
This patch is really needed for PHP.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net