Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8963
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
In-Reply-To: <1081347434.18872.4.camel@blobule.suds>
References: <015101c41ca8$4a1aa480$4601a8c0@shuttle> <1081347434.18872.4.camel@blobule.suds>
Mime-Version: 1.0 (Apple Message framework v613)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-ID: <ACAD823D-88A4-11D8-8177-000393B2B3C0@omniti.com>
Content-Transfer-Encoding: 7bit
Cc: inodes <jd@inodes-fr.com>,
 internals@lists.php.net
Date: Wed, 7 Apr 2004 11:03:06 -0400
To: Robert Cummings <robert@interjinn.com>
Subject: Re: [PHP-DEV] Patch to minimize Session Fixation Risks
From: george@omniti.com (George Schlossnagle)


On Apr 7, 2004, at 10:17 AM, Robert Cummings wrote:

> On Wed, 2004-04-07 at 09:56, inodes wrote:
>> Hello,
>>
>> The PHP manual says it is the developer's job to ensure PHP sessions 
>> cannot
>> be stolen or "fixed" (this is called Session Fixation).
>>
>> To minimise the risk of session fixation, I wrote a patch for 
>> PHP-4.3.5 (I
>> can port it for the other versions too - just ask...), that makes 
>> (almost)
>> sure the current user IS the session creator. It is based on client IP
>> addresses.
>>
>> This patch is available at: 
>> http://www.trickytools.com/php/sesfixpatch.php
>>
>> If you think this could be useful, it could be improved and someday 
>> be part
>> of the official distro.
>
> I remember reading in the forums before that using the request IP to
> "fixate" a session isn't practical since some ISPs (namely AOL) can 
> have
> the request IP suddenly change between one request and another.

Yes, this behavior is quite common for many of the large ISPs.

George