Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8965
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <020e01c41cb8$11d3cd30$4601a8c0@shuttle>
To: <internals@lists.php.net>
Date: Wed, 7 Apr 2004 17:50:36 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued)
From: jd@inodes-fr.com ("inodes")

Sasha suggests me to implement these checkings in my script: IMHO that's not
the good strategy.

You guys are probably good programmers, but my experience shows me that the
"standard" PHP developper is not aware of security problems or he/she has
not the time to finalize the scripts (time is money...).

So I would like to provide a way to ensure some basic tests are made by PHP
itself !

As an analogy I could talk about "mod_security" Apache module: it globalizes
some tests before Apache calls the scripts and so minimizes the effort of
the developpers that would always take care of user's input...

Of course, good programmers always filter entries, but adding another
security level is a good practive too...

I could also say that my patch is a bit like the "safe mode": it is not
perfect at all but, nertheless, it can be useful !

So,  I will enhance the "patch" to make it less restrictive when testing the
IP addresses and think about a strategy to handle AOL-like ISP...

Cheers,

Jerome