Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8961
Return-Path: <robert@interjinn.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78253 invoked by uid 1010); 7 Apr 2004 14:17:16 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 78144 invoked from network); 7 Apr 2004 14:17:15 -0000
Received: from unknown (HELO blobule.suds) (66.11.170.154)
  by pb1.pair.com with SMTP; 7 Apr 2004 14:17:15 -0000
Received: by blobule.suds (Postfix, from userid 501)
	id BF0B62F727; Wed,  7 Apr 2004 10:17:14 -0400 (EDT)
To: inodes <jd@inodes-fr.com>
Cc: internals@lists.php.net
In-Reply-To: <015101c41ca8$4a1aa480$4601a8c0@shuttle>
References: <015101c41ca8$4a1aa480$4601a8c0@shuttle>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.8-3mdk 
Date: 07 Apr 2004 10:17:14 -0400
Message-ID: <1081347434.18872.4.camel@blobule.suds>
Mime-Version: 1.0
Subject: Re: [PHP-DEV] Patch to minimize Session Fixation Risks
From: robert@interjinn.com (Robert Cummings)

On Wed, 2004-04-07 at 09:56, inodes wrote:
> Hello,
> 
> The PHP manual says it is the developer's job to ensure PHP sessions cannot
> be stolen or "fixed" (this is called Session Fixation).
> 
> To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I
> can port it for the other versions too - just ask...), that makes (almost)
> sure the current user IS the session creator. It is based on client IP
> addresses.
> 
> This patch is available at: http://www.trickytools.com/php/sesfixpatch.php
> 
> If you think this could be useful, it could be improved and someday be part
> of the official distro.

I remember reading in the forums before that using the request IP to
"fixate" a session isn't practical since some ISPs (namely AOL) can have
the request IP suddenly change between one request and another.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'