Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8959
Return-Path: <jd@inodes-fr.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79657 invoked by uid 1010); 7 Apr 2004 13:57:39 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 79521 invoked from network); 7 Apr 2004 13:57:39 -0000
Received: from unknown (HELO postfix4-1.free.fr) (213.228.0.62)
  by pb1.pair.com with SMTP; 7 Apr 2004 13:57:39 -0000
Received: from shuttle (lns-vlq-25-82-255-142-155.adsl.proxad.net [82.255.142.155])
	by postfix4-1.free.fr (Postfix) with SMTP id 39ADBDD550
	for <internals@lists.php.net>; Wed,  7 Apr 2004 15:57:38 +0200 (CEST)
Message-ID: <015101c41ca8$4a1aa480$4601a8c0@shuttle>
To: <internals@lists.php.net>
Date: Wed, 7 Apr 2004 15:56:45 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Patch to minimize Session Fixation Risks
From: jd@inodes-fr.com ("inodes")

Hello,

The PHP manual says it is the developer's job to ensure PHP sessions cannot
be stolen or "fixed" (this is called Session Fixation).

To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I
can port it for the other versions too - just ask...), that makes (almost)
sure the current user IS the session creator. It is based on client IP
addresses.

This patch is available at: http://www.trickytools.com/php/sesfixpatch.php

If you think this could be useful, it could be improved and someday be part
of the official distro.

Jerome Delamarche