Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:9021 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61578 invoked by uid 1010); 9 Apr 2004 07:42:39 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 61469 invoked from network); 9 Apr 2004 07:42:37 -0000 Received: from unknown (HELO mail.zend.com) (192.117.235.230) by pb1.pair.com with SMTP; 9 Apr 2004 07:42:37 -0000 Received: (qmail 2628 invoked from network); 9 Apr 2004 07:42:28 -0000 Received: from localhost (HELO AndiNotebook.zend.com) (127.0.0.1) by localhost with SMTP; 9 Apr 2004 07:42:28 -0000 Message-ID: <5.1.0.14.2.20040409104115.02285b90@127.0.0.1> X-Sender: andi@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 09 Apr 2004 10:42:16 +0300 To: "inodes" , In-Reply-To: <016901c41d40$d7fd4a30$4601a8c0@shuttle> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: [PHP-DEV] Patch to minimize session fixation (continued) From: andi@zend.com (Andi Gutmans) References: <016901c41d40$d7fd4a30$4601a8c0@shuttle> As it won't be accepted into the main tree, if it were possible to write your patch as a self-contained PHP extension, then you could develop it in PECL. I haven't taken a look at the code to see if that's possible. Andi At 10:09 AM 4/8/2004 +0200, inodes wrote: >It is obvious my proposal is considered as a very bad idea to most of view >;-) > >But my goal is not to ask for a definitive patch for PHP, so I probably made >a mistake by posting the initial message in this mailing list... > >I just offer this patch for admins who manage applications developped by >others (subcontractors for example). > >There are plenty of badly coded PHP apps and nodoby has time to fix them, so >if administrators want to minimize security risks, they can: > >1-audit & rewrite the code >2-strengthen the underlying engine (aka PHP) > >My patch is just a simple way to reenforce the security without changing any >line of code. Of course, there is a risk of loosing sessions if legitimate >users have their IP address dynamically changed. And of course, IP address >checking does not protect users behind a proxy or a NAT gateway, against >their "colleagues". > >But sometimes, the IP checking can be sufficient and won't produce any >side-effect. Let the admins try and decide if it fits their apps. > >Furthermore, I added other controls based on the HTTP headers sent by the >browser (this also reduces the risk of session fixation), and the IP address >test can take the IP classes (A,B and C) in account. > >Official patches or changes required by users (like me) *must* perfectly >solve a problem, >and this patch is far from perfect, so... > >Jerome > >-- >PHP Internals - PHP Runtime Development Mailing List >To unsubscribe, visit: http://www.php.net/unsub.php