Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:8962 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29080 invoked by uid 1010); 7 Apr 2004 14:50:30 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 29036 invoked from network); 7 Apr 2004 14:50:30 -0000 Received: from unknown (HELO postfix4-1.free.fr) (213.228.0.62) by pb1.pair.com with SMTP; 7 Apr 2004 14:50:30 -0000 Received: from shuttle (lns-vlq-25-82-255-142-155.adsl.proxad.net [82.255.142.155]) by postfix4-1.free.fr (Postfix) with SMTP id B2AF5DD46F for ; Wed, 7 Apr 2004 16:50:29 +0200 (CEST) Message-ID: <019601c41caf$ac857b20$4601a8c0@shuttle> To: Date: Wed, 7 Apr 2004 16:50:30 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Patch to minimize session fixation (continued) From: jd@inodes-fr.com ("inodes") I agree with all your arguments: the IP-base solution IS NOT perfect. It is not generic enough to be implemented in world-wide application, but it can be useuful for intranet or extranets. That's to say cases when you know the infrastructure used by the clients to connect to your server support this strategy. My goal is to minimize the risks for now, since I don't know yet what the perfect solution could be. Other tests could be made: - on the browser headers - on IP ranges rather that on the single client IP address - and so on... Jerome