Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:8977 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78314 invoked by uid 1010); 8 Apr 2004 01:56:00 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 78287 invoked from network); 8 Apr 2004 01:56:00 -0000 Received: from unknown (HELO longsword.omniti.com) (66.80.117.3) by pb1.pair.com with SMTP; 8 Apr 2004 01:56:00 -0000 Received: from [66.80.117.254] (helo=[10.0.1.7]) by longsword.omniti.com with asmtp (TLSv1:RC4-SHA:128) (Exim 4.14) id 1BBOls-0007U7-Um; Wed, 07 Apr 2004 21:56:00 -0400 In-Reply-To: <4074AF83.3040503@iamjochem.com> References: <019601c41caf$ac857b20$4601a8c0@shuttle> <40742776.2090500@caedmon.net> <4074AF83.3040503@iamjochem.com> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-ID: <21D20DAE-8900-11D8-8177-000393B2B3C0@omniti.com> Content-Transfer-Encoding: 7bit Cc: internals@lists.php.net Date: Wed, 7 Apr 2004 21:57:46 -0400 To: Jochem Maas X-Mailer: Apple Mail (2.613) Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued) From: george@omniti.com (George Schlossnagle) On Apr 7, 2004, at 9:48 PM, Jochem Maas wrote: > Sean Coates wrote: > >> While I like that your patch can be turned on and off in the INI, >> this sounds much more like an application-level problem, and thus >> should be implemented at the application level. > > Loads of people have actually put stuff out that does this... > ^ > | >>> Other tests could be made: >>> - on the browser headers >>> - on IP ranges rather that on the single client IP address >>> - and so on... > > What about a scoring system (based on checks on the above and more?), > a bit like that which is used in products like spamAssassin, the ini > setting could be a threshold value (0 basically meaning attempt no > checks and any value > 0 && =< 1 to be reject/accept* threshold). > > ...anyway the idea of being able to do some kind of sanity check on > behalf 'beginners' (no offensive intended) is a nice idea. Advanced > users tend to have specific environment requirements (and set them up > accordingly) and perform decent checking anyway. All of the above methods have problems with proxy servers. As a robust solution to the problem doesn't exist, people should implement their own non-robust solutions in their own scripts. George