Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8987
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <016901c41d40$d7fd4a30$4601a8c0@shuttle>
To: <internals@lists.php.net>
Date: Thu, 8 Apr 2004 10:09:38 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued)
From: jd@inodes-fr.com ("inodes")

It is obvious my proposal is considered as a very bad idea to most of view
;-)

But my goal is not to ask for a definitive patch for PHP, so I probably made
a mistake by posting the initial message in this mailing list...

I just offer this patch for admins who manage applications developped by
others (subcontractors for example).

There are plenty of badly coded PHP apps and nodoby has time to fix them, so
if administrators want to minimize security risks, they can:

1-audit & rewrite the code
2-strengthen the underlying engine (aka PHP)

My patch is just a simple way to reenforce the security without changing any
line of code. Of course, there is a risk of loosing sessions if legitimate
users have their IP address dynamically changed. And of course, IP address
checking does not protect users behind a proxy or a NAT gateway, against
their "colleagues".

But sometimes, the IP checking can be sufficient and won't produce any
side-effect. Let the admins try and decide if it fits their apps.

Furthermore, I added other controls based on the HTTP headers sent by the
browser (this also reduces the risk of session fixation), and the IP address
test can take the IP classes (A,B and C) in account.

Official patches or changes required by users (like me) *must* perfectly
solve a problem,
and this patch is far from perfect, so...

Jerome