Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8966
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <40742776.2090500@caedmon.net>
Date: Wed, 07 Apr 2004 12:08:22 -0400
User-Agent: Mozilla Thunderbird 0.5 (X11/20040306)
MIME-Version: 1.0
To: inodes <jd@inodes-fr.com>
CC:  internals@lists.php.net
References: <019601c41caf$ac857b20$4601a8c0@shuttle>
In-Reply-To: <019601c41caf$ac857b20$4601a8c0@shuttle>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued)
From: sean@caedmon.net (Sean Coates)

While I like that your patch can be turned on and off in the INI, this 
sounds much more like an application-level problem, and thus should be 
implemented at the application level.

MHO.

S

inodes wrote:
> I agree with all your arguments: the IP-base solution IS NOT perfect.
> 
> It is not generic enough to be implemented in world-wide application, but it
> can be useuful for intranet or extranets. That's to say cases when you know
> the infrastructure used by the clients to connect to your server support
> this strategy.
> 
> My goal is to minimize the risks for now, since I don't know yet what the
> perfect solution could be.
> 
> Other tests could be made:
> - on the browser headers
> - on IP ranges rather that on the single client IP address
> - and so on...
> 
> Jerome
>