Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:8960 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55951 invoked by uid 1010); 7 Apr 2004 14:13:52 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 55906 invoked from network); 7 Apr 2004 14:13:52 -0000 Received: from unknown (HELO e-matters.de) (217.69.76.213) by pb1.pair.com with SMTP; 7 Apr 2004 14:13:52 -0000 Received: (qmail 3430 invoked by uid 0); 7 Apr 2004 14:10:53 -0000 Received: from p508d8bfd.dip0.t-ipconnect.de (HELO peshield.de) (80.141.139.253) by /var/run/qmail-smtp.pid with SMTP; 7 Apr 2004 14:10:53 -0000 Message-ID: <40740E30.2060505@peshield.de> Date: Wed, 07 Apr 2004 16:20:32 +0200 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: inodes CC: internals@lists.php.net References: <015101c41ca8$4a1aa480$4601a8c0@shuttle> In-Reply-To: <015101c41ca8$4a1aa480$4601a8c0@shuttle> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Patch to minimize Session Fixation Risks From: se@peshield.de (Stefan Esser) Hello, >sure the current user IS the session creator. It is based on client IP >addresses. > > A legal user can have multiple IP addresses at the same time. This can have several reasons... for example a) ISP did disconnect him inbetween clicks b) he is using a proxy but for the https part of your site he has no proxy c) he or is proxy is using a NAT gateway Stefan Esser