Hello again,
some of you may remember the discussions about our session extension
using a permissive mode for session id, which means that PHP accepts all
session IDs from the outside and not only those created by itself.
While I have repeatedly stated, that the strict_mode provides only
little additional protection against real world attacks (Yes there are
theoretical advantages of strict mode, but in nearly all cases it does
NOT offer additonal protection), I have created a little patch against
ext/session of PHP5.1 that provides the following new features.
Ini-Setting:
session.use_strict_mode = 0/1 -> to disable or enable strict mode
checking in internal files/mm session handlers (currently it defaults to
enable)
session_set_save_handler - does now accept two more (optional) handlers
string create_sid()
bool validate_sid($key)
one can provide NULL as create_sid() handler to use the normal PHP
handler. In validate_sid() one can add his own detection of a given sid
is allowed (f.e. charset) or not. When a SID is not allowed, it will
create a new one through the create_sid() handler.
To implement all this, I had to add the validate_sid function to the
internal structure of session_modules. This means that the sqlite
session module has also to be patched to stay compatible.
The patch is for review at: http://www.suspekt.org/session_strict_mode.patch
Please comment on it. I will add this to the next version of my
Hardening-Patch and would like to sync my idea with what we can put into
5.2/6.0.
Stefan Esser
--
Stefan Esser sesser@php.net
Hardened-PHP Project http://www.hardened-php.net/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78