Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8976
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <4074AF83.3040503@iamjochem.com>
Date: Thu, 08 Apr 2004 03:48:51 +0200
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007
MIME-Version: 1.0
CC:  internals@lists.php.net
References: <019601c41caf$ac857b20$4601a8c0@shuttle> <40742776.2090500@caedmon.net>
In-Reply-To: <40742776.2090500@caedmon.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued)
From: jochem@iamjochem.com (Jochem Maas)

Sean Coates wrote:

> While I like that your patch can be turned on and off in the INI, this 
> sounds much more like an application-level problem, and thus should be 
> implemented at the application level.

Loads of people have actually put stuff out that does this...
	^
	|
>> Other tests could be made:
>> - on the browser headers
>> - on IP ranges rather that on the single client IP address
>> - and so on...

What about a scoring system (based on checks on the above and more?),
a bit like that which is used in products like spamAssassin, the ini 
setting could be a threshold value (0 basically meaning attempt no 
checks and any value > 0 && =< 1 to be reject/accept* threshold).

...anyway the idea of being able to do some kind of sanity check on 
behalf 'beginners' (no offensive intended) is a nice idea. Advanced 
users tend to have specific environment requirements (and set them up 
accordingly) and perform decent checking anyway.