Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:8967 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24017 invoked by uid 1010); 7 Apr 2004 16:50:53 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 23959 invoked from network); 7 Apr 2004 16:50:53 -0000 Received: from unknown (HELO mail.appliedsec.com) (69.17.65.231) by pb1.pair.com with SMTP; 7 Apr 2004 16:50:53 -0000 Received: from appliedsec.com (localhost.applied.sec [127.0.0.1]) by mail.appliedsec.com (Postfix) with ESMTP id 56CB578C67; Wed, 7 Apr 2004 12:38:50 -0400 (EDT) Message-ID: <4074316C.1070406@appliedsec.com> Date: Wed, 07 Apr 2004 12:50:52 -0400 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030807 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Inodes Cc: internals@lists.php.net References: <019601c41caf$ac857b20$4601a8c0@shuttle> In-Reply-To: <019601c41caf$ac857b20$4601a8c0@shuttle> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Patch to minimize session fixation (continued) From: hans@appliedsec.com (Hans Lellelid) I also would add that from experience using IP addresses to validate sessions does not work for any internet application. > It is not generic enough to be implemented in world-wide application, but it > can be useuful for intranet or extranets. That's to say cases when you know > the infrastructure used by the clients to connect to your server support > this strategy. Yes, I suppose this is true, but if you are building an intranet application you probably aren't going to need this additional security. I agree with the others -- this belongs in your application. In particular to prevent session fixation (rather than session hijacking) use the session_regenerate_id() after authentication happens. This should prevent fixation. Hans