Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:8968 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48144 invoked by uid 1010); 7 Apr 2004 16:58:31 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 48111 invoked from network); 7 Apr 2004 16:58:31 -0000 Received: from unknown (HELO xaxa.search.ch) (195.141.85.117) by pb1.pair.com with SMTP; 7 Apr 2004 16:58:31 -0000 Received: from localhost (localhost [127.0.0.1]) by xaxa.search.ch (Postfix) with ESMTP id 8BAE36CF90; Wed, 7 Apr 2004 18:58:30 +0200 (CEST) Received: by xaxa.search.ch (Postfix, from userid 65534) id 43D5B6D833; Wed, 7 Apr 2004 18:58:29 +0200 (CEST) Received: from cschneid.com (ultrafilter-i [192.168.85.2]) by xaxa.search.ch (Postfix) with ESMTP id 5BC0B6D82E; Wed, 7 Apr 2004 18:58:28 +0200 (CEST) Message-ID: <40743333.8080002@cschneid.com> Date: Wed, 07 Apr 2004 18:58:27 +0200 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114 X-Accept-Language: de-ch, en-us, en MIME-Version: 1.0 To: Inodes Cc: internals@lists.php.net References: <020e01c41cb8$11d3cd30$4601a8c0@shuttle> In-Reply-To: <020e01c41cb8$11d3cd30$4601a8c0@shuttle> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xaxa.search.ch X-Spam-Level: X-Spam-Status: No, hits=-0.0 required=5.0 tests=BAYES_44 autolearn=ham version=2.63 X-Virus-Scanned: by AMaViS 0.3.12pre8 Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued) From: cschneid@cschneid.com (Christian Schneider) Inodes wrote: > You guys are probably good programmers, but my experience shows me that the > "standard" PHP developper is not aware of security problems or he/she has > not the time to finalize the scripts (time is money...). The problem with your patch is twofold: 1) It breaks for some users under rare circumstances which leads to very hard to reproduce bug reports. Trust me. I tried to use IP tracking and similar stuff and had to remove it because of user complaints. 2) It gives a false sense of security which leads to people spending less thoughts on the security concept of application because they rely on the session mechanism. Take proxies as an example: You'd have to also check for X-Forwarded-For headers to get the address behind a large ISPs proxy which opens up a whole new can of worms: How do you know that it wasn't the hacker sending X-Forwarded-For with the user's IP? I decided to say "If X knows the session ID of User A then he _is_ A". (Side note: I use my own random/MD5-based session IDs which should be hard to guess). If I think sniffing a session ID is a problem then my application probably needs a higher security level anyway and I switch to SSL. > So, I will enhance the "patch" to make it less restrictive when testing the > IP addresses and think about a strategy to handle AOL-like ISP... Speaking from my own experience I should warn you that it is quite hard to convince this list to accept such patches. Don't be too disappointed in that case ;-) I agree with other posts that this belongs in either a) the application b) PEAR (I'm pretty sure PEAR already offers something like this, haven't checked though) and not core PHP. - Chris